hxxps://www[.]youtube[.]com/channel/UCn2OJocEFxegDrjKZMIfnLw

Executes dropped EXE 4 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

pid process

4084 software_reporter_tool.exe
1572 software_reporter_tool.exe
2160 software_reporter_tool.exe
508 software_reporter_tool.exe

pid	process
4084	software_reporter_tool.exe
1572	software_reporter_tool.exe
2160	software_reporter_tool.exe
508	software_reporter_tool.exe

Loads dropped DLL 7 IoCs

Processes:

software_reporter_tool.exe

pid	process
2160	software_reporter_tool.exe
2160	software_reporter_tool.exe
2160	software_reporter_tool.exe
2160	software_reporter_tool.exe
2160	software_reporter_tool.exe
2160	software_reporter_tool.exe
2160	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\97717462.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\1361672858.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "115"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8db62ff13956941acf514a4778508d7000000000200000000001066000000010000200000004ebae5a195e79c80c417a04fc265518ae21214ad0ec041760743ba93f4f96d96000000000e8000000002000020000000e1fdac7a6852d774e0a0c88d3e7c09b8624f9a3ad2e8fabcfb133b9c3f24373620000000b7ed14d80be07cd203475396249a5f27f7aada0b2471ad59e96b77786c9a1f2c400000009d91be913add4f190998358cfe2011b038a3142952113e30a1425173d208e08ebbee7d826e72e9dc3febd4a2f7e46cff3232d243477974094969779b3995b7b7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "121"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "121"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "6"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c09959033cfcd701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3916CBB7-6AF9-11EC-9231-E62B0207BF3E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "121"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 806771033cfcd701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000fffffffffffffffffffffffffffffffff8fffffff8ffffff08050000b0020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8db62ff13956941acf514a4778508d70000000002000000000010660000000100002000000009e574067739a3d375b217af7d007bfc99cb5b249f9e2f2413b513e37df5ad84000000000e8000000002000020000000762f4b8174db46b5d2e1b796d3509586d7466f3ce92bbb8c3562b63278ebbf0a2000000084148d02c2a1c1bb4bc1a68d67dc9f6caeb3222fe910e51a084f540dabcbe013400000007cd86a525fde71735397ffab4490d1587cb272cee76a6e827e253228bb5f4e7d5fd40df5aeacafde85670eb183cbcb6a94a696229cba43a95dd6ab5aec598672	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "115"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "347544790"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "347496205"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "115"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "347512799"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesoftware_reporter_tool.exechrome.exetaskmgr.exe

pid	process
664	chrome.exe
664	chrome.exe
2304	chrome.exe
2304	chrome.exe
2560	chrome.exe
2560	chrome.exe
3660	chrome.exe
3660	chrome.exe
3592	chrome.exe
3592	chrome.exe
508	chrome.exe
508	chrome.exe
1656	chrome.exe
1656	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
3140	chrome.exe
3140	chrome.exe
4084	software_reporter_tool.exe
4084	software_reporter_tool.exe
1468	chrome.exe
1468	chrome.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

Processes:

chrome.exe

pid	process
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exetaskmgr.exe

description	pid	process
Token: 33	1572	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1572	software_reporter_tool.exe
Token: 33	4084	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4084	software_reporter_tool.exe
Token: 33	2160	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2160	software_reporter_tool.exe
Token: 33	508	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	508	software_reporter_tool.exe
Token: SeDebugPrivilege	3128	taskmgr.exe
Token: SeSystemProfilePrivilege	3128	taskmgr.exe
Token: SeCreateGlobalPrivilege	3128	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeiexplore.exetaskmgr.exe

pid	process
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2632	iexplore.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe

Suspicious use of SendNotifyMessage 59 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe
3128	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2632 iexplore.exe
2632 iexplore.exe
896 IEXPLORE.EXE
896 IEXPLORE.EXE
896 IEXPLORE.EXE
896 IEXPLORE.EXE

pid	process
2632	iexplore.exe
2632	iexplore.exe
896	IEXPLORE.EXE
896	IEXPLORE.EXE
896	IEXPLORE.EXE
896	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 2632 wrote to memory of 896	2632	iexplore.exe	IEXPLORE.EXE
PID 2632 wrote to memory of 896	2632	iexplore.exe	IEXPLORE.EXE
PID 2632 wrote to memory of 896	2632	iexplore.exe	IEXPLORE.EXE
PID 2304 wrote to memory of 2740	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 2740	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 1332	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 664	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 664	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 636	2304	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/channel/UCn2OJocEFxegDrjKZMIfnLw
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2632 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd98474f50,0x7ffd98474f60,0x7ffd98474f70
2⤵
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1676 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1536 /prefetch:2
2⤵
PID:1332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2284 /prefetch:8
2⤵
PID:636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
2⤵
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1
2⤵
PID:3652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
2⤵
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4360 /prefetch:8
2⤵
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4496 /prefetch:8
2⤵
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4660 /prefetch:8
2⤵
PID:3192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5180 /prefetch:8
2⤵
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4796 /prefetch:8
2⤵
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3596 /prefetch:8
2⤵
PID:3664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4568 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4432 /prefetch:8
2⤵
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5364 /prefetch:8
2⤵
PID:3264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4560 /prefetch:8
2⤵
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5368 /prefetch:8
2⤵
PID:2996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
2⤵
PID:3092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2336 /prefetch:8
2⤵
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2416 /prefetch:8
2⤵
PID:3152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1044 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:8
2⤵
PID:2412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:8
2⤵
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2364 /prefetch:8
2⤵
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
2⤵
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2372 /prefetch:1
2⤵
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1
2⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
2⤵
PID:1896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:1
2⤵
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
2⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5376 /prefetch:8
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5412 /prefetch:8
2⤵
PID:196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5440 /prefetch:8
2⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
2⤵
PID:992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:1
2⤵
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:1
2⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=852 /prefetch:1
2⤵
PID:1140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:1
2⤵
PID:3220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
2⤵
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
2⤵
PID:3188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 /prefetch:8
2⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2352 /prefetch:8
2⤵
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4644 /prefetch:8
2⤵
PID:3260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4724 /prefetch:8
2⤵
PID:208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2396 /prefetch:1
2⤵
PID:196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4720 /prefetch:8
2⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
2⤵
PID:1188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5488 /prefetch:8
2⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4796 /prefetch:8
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
2⤵
PID:688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4784 /prefetch:8
2⤵
PID:3264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3376 /prefetch:8
2⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
PID:1056

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=Y+h/qMIFr7GRUfq+4/qrwvTOp80rjNzQbtPL7PAN --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=96.276.200 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff66a20f510,0x7ff66a20f520,0x7ff66a20f530
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_4084_HTNDSJEUNSMQTWNB" --sandboxed-process-id=2 --init-done-notifier=704 --sandbox-mojo-pipe-token=8824293650398629489 --mojo-platform-channel-handle=680 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2160

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_4084_HTNDSJEUNSMQTWNB" --sandboxed-process-id=3 --init-done-notifier=928 --sandbox-mojo-pipe-token=17994883843415580103 --mojo-platform-channel-handle=924
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:1
2⤵
PID:1840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
2⤵
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
2⤵
PID:1244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:8
2⤵
PID:3884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4288 /prefetch:8
2⤵
PID:344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3716 /prefetch:8
2⤵
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1
2⤵
PID:3968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
2⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3744 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
2⤵
PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
2⤵
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
2⤵
PID:1896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2728 /prefetch:1
2⤵
PID:848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
2⤵
PID:3308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=772 /prefetch:1
2⤵
PID:3848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
2⤵
PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
2⤵
PID:3652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
2⤵
PID:2872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6348 /prefetch:8
2⤵
PID:200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,16539797489992854096,6498497802401710115,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
2⤵
PID:2164

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
MD5
15db92f949081e023a06f7d02f40f695

SHA1
60cd8de52ea74d724e0cbd256c31dea69e73c287

SHA256
3206408cb90db89503d37b4fdd4f7000dd31d798c1c8fd7d79e11b9e8a6172e9

SHA512
9fe75344ace1e820f7c26bb2c1c79bb6c8cca1cd6c1e31f04fe66d990804f98c660bb87d63d599918f75354307d9aff591cd082cb35640ff6e1d8fdac4fe7e1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_76F26EDEF7C1087F80A272B48769819E
MD5
0cd53ed36186cfc5ee054c599c57b0b2

SHA1
cdbbbf2275f38c525307c3f418dda194980f3658

SHA256
80c22ed3bf6302aaaf634de8875e4da6aef90efb764fe7b12468fffbcedf6813

SHA512
5ba597e3c8973405aac920eea9097df2c3e91e5ed53a999732051414706147cc88c86f9e2e5092ea0acc97689ba0f9ccfea6d0ce576330856cc34c5961ae8883

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_30F32374BEBB4A72181B36E407396E90
MD5
af9fb86733dbf8ef4e48cd64370f912f

SHA1
3da65fc54b3e10a9d70fdd395da191cce3e797e9

SHA256
61e10b5efc1f4180f8899828192242ef54de15c523c61749e56bb1a1c6ecafb0

SHA512
7294670497dbcff97ad331fcaa285151802b27ec65d1ca68bb52c1bd0c77f201c2b3f66991226ddf3e92bca0fc6de7e1be35cd5ad36e2ce1da3633052c116379

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
MD5
64e9b8bb98e2303717538ce259bec57d

SHA1
2b07bf8e0d831da42760c54feff484635009c172

SHA256
76bd459ec8e467efc3e3fb94cb21b9c77a2aa73c9d4c0f3faf823677be756331

SHA512
8980af4a87a009f1ae165182d1edd4ccbd12b40a5890de5dbaea4dbf3aeb86edffd58b088b1e35e12d6b1197cc0db658a9392283583b3cb24a516ebc1f736c56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9641559E442FE3E0D68934A8083C5D76
MD5
1989a4cf1dbe6f6c954c1d359dcbb518

SHA1
8b1e45e52fb061f389dc5cb535cca708c016230c

SHA256
0a13bf859afd6a470c4d8ee8a1650e044e3e8fbc76f49f181a3b9f79fae89869

SHA512
87541d8fd3f3097bdc333e94b660e49effa479eaeba741d26933c38f3067150646fc17722ebc695fae54976ac5408c546823f54a29bcf2ec1ffcda70efbecadf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
MD5
561f76f14a62a784266aa64d054f92c4

SHA1
993213b55001d7b164fd0248087efcf84a916054

SHA256
c4d7965c7b1d6d7e2314417b321192d5c9ab9bc3e2a2784a798eaa3c419643ec

SHA512
fffc1bdbc82ea369525484dd0bd10df3fe25e13521a9f467dad3c204fdc7cbbf037f266a8233a52554d46911167f850e6aa3827ba7a42189644919fac868ade2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_76F26EDEF7C1087F80A272B48769819E
MD5
e3d37642cfccc0c067629177b30152bc

SHA1
21fc40fd6709e6f0173e3da69f49e955b9f9f99b

SHA256
3379aa00e3d958420672e25648d74c13ded7a67da7fc26cca2fe70e346030032

SHA512
a80352d133d43bf0cec61e3fd0793e6691a58d9507c49f7d1c174f90ee126134a703b34846a01fa95c532efcb906eb3f1c4b64c472d5d0dce2875a45d8deab98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_30F32374BEBB4A72181B36E407396E90
MD5
5ef0334e8603268c7de8b6aba3064f06

SHA1
541ab1be951871b647f50b47ba22a398ec1fe992

SHA256
4ada0194a1004134c9c5e2e4d2af3c78fc73d6c6de7387f71c79cae3f052c67b

SHA512
a30c0356c122e8497f9a0ca504fea044919ed7ee57c9075a87dca03ec2108b95696d4d93d4f3b230eeedd7907527209b43e2a57f8769300fcc64f646ca06327c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
MD5
8826eed78442c48113783e3dec861b4d

SHA1
94ab542379af9d978d24517aec2edcde3ca61b98

SHA256
cfbab75701f5eea4666f017bc6d470ac026cc963ae3d5fc9e986fe216c384ed5

SHA512
e21369f1e56163b856ea5062c1e404bb8a82efacd4f2f3556a0622ea07cd521fef99583ce00af94f1ffab237fab4f9197d1cdaddc4d32282d0b3341b58f3d110

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9641559E442FE3E0D68934A8083C5D76
MD5
6bb362e4c8819fcb14e1368e109e9f78

SHA1
85812f0b5c80d692a8c628d943b6939a2af4845e

SHA256
aee8424d034980df9728cec025e11148732e05522f9aa1ddee48a4363802cd74

SHA512
b466518e198dfdb12b776080dc2e3d59c629cc1211432a3f0a5a360c9d2f59af24af505ca688e8ff7c590a6c3f7e7cf99bb0222899dfd1679c2a2cb52787b89b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\WENURN8L.cookie
MD5
58f0274bfa577442cf10294a225e254d

SHA1
b29e1dd6bedea7686e457d40ccf5becc5e41ada8

SHA256
c4c47b5784683cc8dae4ae6c4610cc3196ac294b3b4b0e290a4a1547c6785527

SHA512
00c19be96a500d593d934f60d91a80611706c70aa66184b6320237add273b035003974997c68835b644e1cc7030562d8bf57aad0d8235f04b04f4d67285f8ded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Y0NO1GD3.cookie
MD5
5115e1a3452381f782d5abc644b33b0e

SHA1
5c496bcc7282b8f089c573c65f2c9632dc4bf3fd

SHA256
c2b8a4d49e9948e625b215d10d9a1e115c3a1a34e03f359ef67e9fd8ce36f8cf

SHA512
fa1f0cd4d3cdcc4c9c19a42379adca63de6426732ad9642afea6eb847ab523da5e841e725ddddc71bc50f298c141aa3a82cd4daea8f09759f145a51aa0ff8481

Download Submit
\??\pipe\crashpad_2304_WFTHVFIVVEVFSJWP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/508-226-0x0000000000000000-mapping.dmp

Download
memory/896-140-0x0000000000000000-mapping.dmp

Download
memory/1572-216-0x0000000000000000-mapping.dmp

Download
memory/2160-220-0x0000000000000000-mapping.dmp

Download
memory/2632-135-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-129-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-138-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-136-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-141-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-142-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-144-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-145-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-147-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-149-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-150-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-151-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-155-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-156-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-157-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-115-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-159-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-160-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-161-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-162-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-134-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-132-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-131-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-137-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-167-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-168-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-128-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-170-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-171-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-174-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-175-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-127-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-125-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-178-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-124-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-123-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-122-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-121-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-186-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-188-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-189-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-120-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-190-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-192-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-116-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-119-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/2632-117-0x00007FFDA5320000-0x00007FFDA538B000-memory.dmp

Filesize
428KB

Download
memory/4084-213-0x0000000000000000-mapping.dmp

Download