hxxps://mysmartidea[.]online/impeditnobis/voluptaset-149953820

Analysis

max time kernel
590s
max time network
597s
platform
windows10_x64
resource
win10-en-20211014
submitted
19-10-2021 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mysmartidea.online/impeditnobis/voluptaset-149953820
Sample

211019-rfqb5afhg9

Score

10^/10

discovery spyware stealer

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://rickcovell.net/BuQQdjLrrO19/li.html

xlm40.dropper

https://networktmg.com/ryrwQGN3wPpT/li.html

xlm40.dropper

https://thamilanda.co.in/fui6yOqX0Wyb/li.html

Signatures

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4040	2932	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4892	2932	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4252	2932	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4868	3556	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4748	3556	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2240	3556	regsvr32.exe	EXCEL.EXE

Executes dropped EXE 4 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

pid process

1988 software_reporter_tool.exe
1808 software_reporter_tool.exe
2432 software_reporter_tool.exe
4048 software_reporter_tool.exe

pid	process
1988	software_reporter_tool.exe
1808	software_reporter_tool.exe
2432	software_reporter_tool.exe
4048	software_reporter_tool.exe

Patched UPX-packed file 4 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe	patched_upx
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe	patched_upx
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe	patched_upx
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\em003_64.dll	patched_upx

Loads dropped DLL 7 IoCs

Processes:

software_reporter_tool.exe

pid	process
2432	software_reporter_tool.exe
2432	software_reporter_tool.exe
2432	software_reporter_tool.exe
2432	software_reporter_tool.exe
2432	software_reporter_tool.exe
2432	software_reporter_tool.exe
2432	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

Processes:

PowerShell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEchrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings chrome.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEEXCEL.EXE

pid process

2932 EXCEL.EXE
3556 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesoftware_reporter_tool.exePowerShell.exechrome.exe

pid	process
3340	chrome.exe
3340	chrome.exe
4024	chrome.exe
4024	chrome.exe
1284	chrome.exe
1284	chrome.exe
2492	chrome.exe
2492	chrome.exe
4068	chrome.exe
4068	chrome.exe
2792	chrome.exe
2792	chrome.exe
1784	chrome.exe
1784	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
1988	software_reporter_tool.exe
1988	software_reporter_tool.exe
4544	PowerShell.exe
4544	PowerShell.exe
4544	PowerShell.exe
4696	chrome.exe
4696	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

chrome.exe

pid	process
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exePowerShell.exe

description	pid	process
Token: 33	1808	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1808	software_reporter_tool.exe
Token: 33	1988	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1988	software_reporter_tool.exe
Token: 33	2432	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2432	software_reporter_tool.exe
Token: 33	4048	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4048	software_reporter_tool.exe
Token: SeDebugPrivilege	4544	PowerShell.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

chrome.exeEXCEL.EXE

pid	process
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
3556	EXCEL.EXE
3556	EXCEL.EXE

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe

Suspicious use of SetWindowsHookEx 43 IoCs

Processes:

EXCEL.EXEEXCEL.EXE

pid	process
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
2932	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE
3556	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4024 wrote to memory of 3704	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 3704	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 8	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 3340	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 3340	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1596	4024	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://mysmartidea.online/impeditnobis/voluptaset-149953820
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9d9e44f50,0x7ff9d9e44f60,0x7ff9d9e44f70
2⤵
PID:3704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1536 /prefetch:2
2⤵
PID:8

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1768 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 /prefetch:8
2⤵
PID:1596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
2⤵
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:1
2⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4120 /prefetch:8
2⤵
PID:844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4172 /prefetch:8
2⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5280 /prefetch:8
2⤵
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5292 /prefetch:8
2⤵
PID:2332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4732 /prefetch:8
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:8
2⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:8
2⤵
PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4752 /prefetch:8
2⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4892 /prefetch:8
2⤵
PID:4260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4796 /prefetch:8
2⤵
PID:4276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
2⤵
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
2⤵
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:8
2⤵
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3352 /prefetch:8
2⤵
PID:3028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1416 /prefetch:8
2⤵
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5344 /prefetch:8
2⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1520 /prefetch:8
2⤵
PID:3744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4872 /prefetch:8
2⤵
PID:1028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2136 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
2⤵
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5444 /prefetch:8
2⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1508 /prefetch:8
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5624 /prefetch:8
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4172 /prefetch:8
2⤵
PID:4032

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=HXg+MoQKJ3IZ3613576sxW4lRFck4s9ciZ14svYY --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=93.269.200 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff699829300,0x7ff699829310,0x7ff699829320
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_1988_NYDKILYGGWSJBYKS" --sandboxed-process-id=2 --init-done-notifier=708 --sandbox-mojo-pipe-token=4021678303113923076 --mojo-platform-channel-handle=684 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2432

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_1988_NYDKILYGGWSJBYKS" --sandboxed-process-id=3 --init-done-notifier=916 --sandbox-mojo-pipe-token=16100638287609559467 --mojo-platform-channel-handle=912
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:8
2⤵
PID:1096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5624 /prefetch:8
2⤵
PID:348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
2⤵
PID:1148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1508 /prefetch:8
2⤵
PID:3320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
2⤵
PID:3316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
2⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5284 /prefetch:8
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:8
2⤵
PID:2836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 /prefetch:8
2⤵
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
2⤵
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
2⤵
PID:1300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
2⤵
PID:1072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=848 /prefetch:1
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
2⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4828 /prefetch:8
2⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
2⤵
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
2⤵
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=848 /prefetch:1
2⤵
PID:1148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
2⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=164 /prefetch:8
2⤵
PID:4080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1356 /prefetch:8
2⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6786815343558479104,9142915080808010822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4196 /prefetch:8
2⤵
PID:1916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4952

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Temp1_voluptaset-149953820.zip\trend-1831154793.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2932

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
2⤵
- Process spawned unexpected child process
PID:4040

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
2⤵
- Process spawned unexpected child process
PID:4892

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
2⤵
- Process spawned unexpected child process
PID:4252

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\voluptaset-149953820\trend-1831154793.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3556

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
2⤵
- Process spawned unexpected child process
PID:4868

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
2⤵
- Process spawned unexpected child process
PID:4748

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
2⤵
- Process spawned unexpected child process
PID:2240

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Downloads\voluptaset-149953820'
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -hashfile trend-1831154793.xls sha1
2⤵
PID:1588

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -hashfile trend-1831154793.xls sha1
2⤵
PID:3360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80833CA256E6095A085995D8B14239C3
MD5
627b911a6268940c36c79243dc9fa531

SHA1
0fbde1bf41374e5f2af25bb65a77406f2ad186d2

SHA256
0ec5add6116a86b2ec68a7981d0225ab6fc7bc7ffef4f068b197e0159d2a91d7

SHA512
cdf8db4210a7bf2fe9d48da3d34ef468588554417fe4f856900fd809e12400c3138b5e456902c71e28df275ee44d5581715e0f9bba9134d656c7bc9efde11258

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
e0f0ac000f28835d3398179d653ee760

SHA1
b6778ee29c5c5a8a83f3640604d6d4289ee7c612

SHA256
b460c799a251b6f92cb26a9c419c65ebac782da2f15f98d940c7502a47481884

SHA512
38164a740afae328f3e1cbff21040faba566d63724e2e1c439011eacb759f127dfb57306ecb80570844165bd7ee99c6fa9bc16af83989fbf8b887b3f5702fbc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80833CA256E6095A085995D8B14239C3
MD5
242eaaa1d69a41c9bf48cfb1004b0c84

SHA1
a3527bcef089ca4a32ea41f492b5ac8d4b893537

SHA256
f5a3f5ca23f9ebef27cfae30d916daa5ea51465910d75c2418041e409334a92c

SHA512
e5a320a92149261117f3560ab8899e0d1bece341a95c8fa15d3ad9ff0285f9ad94d79680c5c3e6a3a9bc44e431a22643d743da75782462d7b97d160412a968e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe
MD5
56b213ab01d46f2064880ec2dd95e3ea

SHA1
f0b392a3c53a0784f017499ec0f4c6d4ace721e3

SHA256
473d0f9cf295446f00f632ff7b291fe4dbca6ddf0fba50255546b8ab62fbc5e6

SHA512
0a61a809398deaab7ee5e18dcba733386a583659dd0d6e851d5cfbcf212e66f7434277cde71c6fbd19c11cdf1e78beea5787d361a15ad87cc1ce84b078278ca2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe
MD5
56b213ab01d46f2064880ec2dd95e3ea

SHA1
f0b392a3c53a0784f017499ec0f4c6d4ace721e3

SHA256
473d0f9cf295446f00f632ff7b291fe4dbca6ddf0fba50255546b8ab62fbc5e6

SHA512
0a61a809398deaab7ee5e18dcba733386a583659dd0d6e851d5cfbcf212e66f7434277cde71c6fbd19c11cdf1e78beea5787d361a15ad87cc1ce84b078278ca2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe
MD5
56b213ab01d46f2064880ec2dd95e3ea

SHA1
f0b392a3c53a0784f017499ec0f4c6d4ace721e3

SHA256
473d0f9cf295446f00f632ff7b291fe4dbca6ddf0fba50255546b8ab62fbc5e6

SHA512
0a61a809398deaab7ee5e18dcba733386a583659dd0d6e851d5cfbcf212e66f7434277cde71c6fbd19c11cdf1e78beea5787d361a15ad87cc1ce84b078278ca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json
MD5
2fa3c0843535ae654efb41f663eaa294

SHA1
c44962369201c12749d1dcea9c2c57e9586bd8c3

SHA256
1fa445cd9ec6f51361c866d9e78bc799869e821e8f1acbf0ed3759bcabfe53e7

SHA512
56c8af4713a7b738f518f5085c83361ba066850681ea1578b8b8463acd8d31e477f398328b41bd305c5e497f291d56a54e688dd2652d323ce9adf50d66886bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json
MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json
MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyEventActivityStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyHistoryStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
MD5
016c80a2ceb1371de5f7dc218629341c

SHA1
0cce9255b9d7e2aa0aff4446d37db12ee79bdf97

SHA256
f6dff1d57f769831aae4df7b98e546be1ae9696f7ed70e0d58769fe28b02c0d0

SHA512
82562a3e8f446217d2722e6a1d22108326563aeb650ef428a334740490799c56604cef284644d8eab8d1ee8fc6bf3635901b6249fbf17e5cd65a9ef95a3285f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
MD5
a6064fc9ce640751e063d9af443990da

SHA1
367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a

SHA256
5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c

SHA512
0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
MD5
0e2edf21553ca11c87ce2d6a0f5949e3

SHA1
c064c167c192df8930be020e2265a26f142262a2

SHA256
19fbd2024365b59c79ab83ddbb1125e8d32725c15bc96605b3807b5255a4836b

SHA512
a077ebd8fcc067e342315f21c517a899e865a2a8a7dc2c307294e89065c4233e497ccf1d5c9c9365fcc5809eb965221149329236364737fd6e7f687cb41dae9e

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
MD5
0e2edf21553ca11c87ce2d6a0f5949e3

SHA1
c064c167c192df8930be020e2265a26f142262a2

SHA256
19fbd2024365b59c79ab83ddbb1125e8d32725c15bc96605b3807b5255a4836b

SHA512
a077ebd8fcc067e342315f21c517a899e865a2a8a7dc2c307294e89065c4233e497ccf1d5c9c9365fcc5809eb965221149329236364737fd6e7f687cb41dae9e

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\em000_64.dll
MD5
d0cf72186dbaea05c5a5bf6594225fc3

SHA1
0e69efd78dc1124122dd8b752be92cb1cbc067a1

SHA256
225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907

SHA512
8122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\em001_64.dll
MD5
d6385decf21bcfec1ab918dc2a4bcfd9

SHA1
aa0a7cc7a68f2653253b0ace7b416b33a289b22e

SHA256
c26081f692c7446a8ef7c9dec932274343faab70427c1861afef260413d79535

SHA512
bbb82176e0d7f8f151e7c7b0812c6897bfacf43f93fd04599380d4f30e2e18e7812628019d7dba5c4b26cbe5a28dc0798c339273e59eee9ee814a66e55d08246

Download Submit
\??\pipe\crashpad_4024_UAWMLEZDEYSCXOFB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\edls_64.dll
MD5
e9a7c44d7bda10b5b7a132d46fcdaf35

SHA1
5217179f094c45ba660777cfa25c7eb00b5c8202

SHA256
35351366369a7774f9f30f38dc8aa3cd5e087acd8eae79e80c24526cd40e95a1

SHA512
e76308eee65bf0bf31e58d754e07b63092a4109ef3d44df7b746da99d44be6112bc5f970123c4e82523b6d301392e09c2cfc490e304550b42d152cdb0757e774

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\em000_64.dll
MD5
d0cf72186dbaea05c5a5bf6594225fc3

SHA1
0e69efd78dc1124122dd8b752be92cb1cbc067a1

SHA256
225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907

SHA512
8122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\em001_64.dll
MD5
d6385decf21bcfec1ab918dc2a4bcfd9

SHA1
aa0a7cc7a68f2653253b0ace7b416b33a289b22e

SHA256
c26081f692c7446a8ef7c9dec932274343faab70427c1861afef260413d79535

SHA512
bbb82176e0d7f8f151e7c7b0812c6897bfacf43f93fd04599380d4f30e2e18e7812628019d7dba5c4b26cbe5a28dc0798c339273e59eee9ee814a66e55d08246

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\em002_64.dll
MD5
72d7fac1ceb4f93b416405b32e040853

SHA1
68577c44683a206161fbcc5b7ad295cc37d73ed1

SHA256
a901ad8950e1c8c55fcf963d98c494ac49feffe1a289acec29455b9d558bc950

SHA512
0bf77bf0cdb69897a77f921ad126aaac89345e1447425cfe35133ae0e43e23f2bedcecabb848c263592745499c49b50b4f0ad98de5a822d748b6129bdddb32a1

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\em003_64.dll
MD5
60fbc2aac63647030ba082f5fc32a6eb

SHA1
88e398470cd886936a43d9728c47f590315bf841

SHA256
aa88c14125627af6c4817a7bcdd41446a9bf02692b87fb82a1dc21fc750c7e66

SHA512
db436cf4b18c263ecc67030942fedcdee851943fb24585866647244c389ad25d249d6975cb9205020d17ceb2f08c00e2b61d66dd6e72322db9e65327a3e98edd

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\em004_64.dll
MD5
6a30c3697a43f5b49f2b11cee06f6f70

SHA1
3879fae0800f9a32d889ce13963e87a15533c5eb

SHA256
3d4da8f89586c13222c1eda70f65a95b69a8ffaca996a6ace37c2e53d5114940

SHA512
fa2ecab5de1ad8d2405ccd2a8284ab3ef918ffd01e14f93ffc36dbfcc2038ac4e5e71b3c66d90dd8682e001972d4fddcf513d2a25e5a4eab1e16f55e563b0626

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\em005_64.dll
MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
memory/1588-593-0x0000000000000000-mapping.dmp

Download
memory/1808-511-0x0000000000000000-mapping.dmp

Download
memory/1988-507-0x0000000000000000-mapping.dmp

Download
memory/2240-494-0x0000000000000000-mapping.dmp

Download
memory/2432-517-0x0000000000000000-mapping.dmp

Download
memory/2432-595-0x0000014400140000-0x0000014400180000-memory.dmp

Filesize
256KB

Download
memory/2432-594-0x0000014400140000-0x0000014400141000-memory.dmp

Filesize
4KB

Download
memory/2932-118-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmp

Filesize
64KB

Download
memory/2932-122-0x000001494B740000-0x000001494B742000-memory.dmp

Filesize
8KB

Download
memory/2932-116-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmp

Filesize
64KB

Download
memory/2932-130-0x00007FF9B2240000-0x00007FF9B2250000-memory.dmp

Filesize
64KB

Download
memory/2932-129-0x00007FF9B2240000-0x00007FF9B2250000-memory.dmp

Filesize
64KB

Download
memory/2932-123-0x000001494B740000-0x000001494B742000-memory.dmp

Filesize
8KB

Download
memory/2932-121-0x000001494B740000-0x000001494B742000-memory.dmp

Filesize
8KB

Download
memory/2932-117-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmp

Filesize
64KB

Download
memory/2932-120-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmp

Filesize
64KB

Download
memory/2932-119-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmp

Filesize
64KB

Download
memory/3360-630-0x0000000000000000-mapping.dmp

Download
memory/3556-343-0x00007FF9B5490000-0x00007FF9B54A0000-memory.dmp

Filesize
64KB

Download
memory/4040-290-0x0000000000000000-mapping.dmp

Download
memory/4048-534-0x0000000000000000-mapping.dmp

Download
memory/4252-294-0x0000000000000000-mapping.dmp

Download
memory/4544-551-0x0000019FF1263000-0x0000019FF1265000-memory.dmp

Filesize
8KB

Download
memory/4544-550-0x0000019FF1260000-0x0000019FF1262000-memory.dmp

Filesize
8KB

Download
memory/4748-493-0x0000000000000000-mapping.dmp

Download
memory/4868-492-0x0000000000000000-mapping.dmp

Download
memory/4892-292-0x0000000000000000-mapping.dmp

Download