asyncrat | hxxps://anonfiles[.]com/L8keN1h0xa/ALL_IN_ONE_CHECKER_COLLECTION_zip

Analysis

max time kernel
1394s
max time network
1398s
platform
windows10_x64
resource
win10-en-20211208
submitted
30-12-2021 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anonfiles.com/L8keN1h0xa/ALL_IN_ONE_CHECKER_COLLECTION_zip

Score

10^/10

asyncrat cobaltstrike neshta quasar redline 0 305419896 cheat s33s4w thjay backdoor discovery infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

s33s4w

null:null

Mutex

DcRatMutex_qwqdanchun

Attributes

anti_vm
false
bsod
false
delay
1
install
true
install_file
chrome_update.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/REMiDqQN

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

THJAY

s33s4wqsr-31933.portmap.host:31933

Mutex

a1b1a69b-ba25-4578-8f5a-44cdff71e285

Attributes

encryption_key
2138DB726B457D142BA520FA40476B7B3909D03A
install_name
services.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
svhost

Extracted

Family

cobaltstrike

Botnet

305419896

http://rerddrrdrd-45837.portmap.host:45837/dpixel

Attributes

access_type
512
host
rerddrrdrd-45837.portmap.host,/dpixel
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
45837
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCA+o3FnsObc9SVI8ZAwc36u7DwsV6UPyQpwMNghiyTj7R0UjoBFvLqcYd/JCGPyFzZWQF80PmH7EQ6cxpNKaeo/hMS0u2s6Kc2UV0SDI97XgAIt0A+41EUNTZ/IjxHTsLAkTwd7ebBEktQidwq7D7zfOJACaWQ70uDmPUudcHy7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
watermark
305419896

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Extracted

Family

redline

Botnet

cheat

s33s4wredline-50318.portmap.host:50318

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1042

Processes:

DIHOST.EXE

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" DIHOST.EXE
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Quasar Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1596-173-0x0000000000A10000-0x0000000000DFA000-memory.dmp	family_quasar
behavioral1/memory/1596-174-0x0000000000A10000-0x0000000000DFA000-memory.dmp	family_quasar
behavioral1/memory/2660-193-0x0000000001290000-0x000000000167A000-memory.dmp	family_quasar
behavioral1/memory/2660-192-0x0000000001290000-0x000000000167A000-memory.dmp	family_quasar
behavioral1/memory/3596-224-0x0000000000A10000-0x0000000000DFA000-memory.dmp	family_quasar
behavioral1/memory/3596-225-0x0000000000A10000-0x0000000000DFA000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/992-212-0x0000000000990000-0x00000000009AE000-memory.dmp	family_redline
behavioral1/memory/992-213-0x0000000000990000-0x00000000009AE000-memory.dmp	family_redline

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/428-169-0x00000000007F0000-0x0000000000802000-memory.dmp	asyncrat
behavioral1/memory/428-170-0x00000000007F0000-0x0000000000802000-memory.dmp	asyncrat
behavioral1/memory/592-189-0x0000000000230000-0x0000000000242000-memory.dmp	asyncrat
behavioral1/memory/592-190-0x0000000000230000-0x0000000000242000-memory.dmp	asyncrat
behavioral1/memory/404-210-0x0000000000040000-0x0000000000052000-memory.dmp	asyncrat
behavioral1/memory/404-208-0x0000000000040000-0x0000000000052000-memory.dmp	asyncrat

Executes dropped EXE 24 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exeDIHOST.EXEJAVA_UPDATE.EXESVHOST.EXEsvchost.comWINCAP.EXEsvchost.comsvchost.comJAVA_U~1.EXE_PANDA~1.EXEsvchost.comchrome_update.exeservices.exesvchost.comNORDVP~1.EXEsvchost.comDIHOST.EXEsvchost.comJAVA_U~1.EXEsvchost.comDIHOST.EXE

pid	process
3484	software_reporter_tool.exe
1628	software_reporter_tool.exe
2644	software_reporter_tool.exe
3180	software_reporter_tool.exe
3980	DIHOST.EXE
1112	JAVA_UPDATE.EXE
1596	SVHOST.EXE
1892	svchost.com
2108	WINCAP.EXE
1612	svchost.com
3220	svchost.com
428	JAVA_U~1.EXE
3140	_PANDA~1.EXE
2084	svchost.com
592	chrome_update.exe
2660	services.exe
3640	svchost.com
212	NORDVP~1.EXE
3964	svchost.com
2128	DIHOST.EXE
2224	svchost.com
404	JAVA_U~1.EXE
3220	svchost.com
992	DIHOST.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NORDVP~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation	NORDVP~1.EXE

Loads dropped DLL 7 IoCs

Processes:

software_reporter_tool.exe

pid	process
2644	software_reporter_tool.exe
2644	software_reporter_tool.exe
2644	software_reporter_tool.exe
2644	software_reporter_tool.exe
2644	software_reporter_tool.exe
2644	software_reporter_tool.exe
2644	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

SVHOST.EXEservices.exe

pid process

1596 SVHOST.EXE
1596 SVHOST.EXE
2660 services.exe
2660 services.exe
2660 services.exe
2660 services.exe
2660 services.exe
2660 services.exe

pid	process
1596	SVHOST.EXE
1596	SVHOST.EXE
2660	services.exe
2660	services.exe
2660	services.exe
2660	services.exe
2660	services.exe
2660	services.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.comDIHOST.EXE

description	ioc	process
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	DIHOST.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	DIHOST.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	DIHOST.EXE

Drops file in Windows directory 19 IoCs

Processes:

svchost.comsvchost.comsvchost.comsvchost.comDIHOST.EXEsvchost.comsvchost.comJAVA_UPDATE.EXEDIHOST.EXEsvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	DIHOST.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	JAVA_UPDATE.EXE
File opened for modification	C:\Windows\svchost.com	JAVA_UPDATE.EXE
File opened for modification	C:\Windows\svchost.com	DIHOST.EXE
File opened for modification	C:\Windows\svchost.com	DIHOST.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2540 3140 WerFault.exe _PANDA~1.EXE
2124 3804 WerFault.exe _NORDV~1.EXE
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3584 schtasks.exe
2016 schtasks.exe
556 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1672 timeout.exe

pid	pid_target	process	target process
2540	3140	WerFault.exe	_PANDA~1.EXE
2124	3804	WerFault.exe	_NORDV~1.EXE

pid	process
3584	schtasks.exe
2016	schtasks.exe
556	schtasks.exe

pid	process
1672	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 8 IoCs

Processes:

DIHOST.EXEPANDAVPN BRUTER.exe.exeJAVA_UPDATE.EXEJAVA_U~1.EXENORDVP~1.EXEDIHOST.EXEchrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	DIHOST.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	PANDAVPN BRUTER.exe.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	JAVA_UPDATE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	JAVA_U~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	NORDVP~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	DIHOST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	NORDVP~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesoftware_reporter_tool.exechrome.exechrome.exechrome.exeWerFault.exeJAVA_U~1.EXE

pid	process
1488	chrome.exe
1488	chrome.exe
2620	chrome.exe
2620	chrome.exe
4064	chrome.exe
4064	chrome.exe
2176	chrome.exe
2176	chrome.exe
608	chrome.exe
608	chrome.exe
2072	chrome.exe
2072	chrome.exe
1112	chrome.exe
1112	chrome.exe
3160	chrome.exe
3160	chrome.exe
3484	software_reporter_tool.exe
3484	software_reporter_tool.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
3480	chrome.exe
3480	chrome.exe
2520	chrome.exe
2520	chrome.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
428	JAVA_U~1.EXE
428	JAVA_U~1.EXE
428	JAVA_U~1.EXE
428	JAVA_U~1.EXE
428	JAVA_U~1.EXE
428	JAVA_U~1.EXE
428	JAVA_U~1.EXE
428	JAVA_U~1.EXE
428	JAVA_U~1.EXE
428	JAVA_U~1.EXE
428	JAVA_U~1.EXE
428	JAVA_U~1.EXE
428	JAVA_U~1.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

2620 chrome.exe
2620 chrome.exe
2620 chrome.exe
2620 chrome.exe
2620 chrome.exe
2620 chrome.exe
2620 chrome.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe7zG.exeWerFault.exeSVHOST.EXEJAVA_U~1.EXEservices.exechrome_update.exe7zG.exe

description	pid	process
Token: 33	1628	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1628	software_reporter_tool.exe
Token: 33	3484	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	3484	software_reporter_tool.exe
Token: 33	2644	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2644	software_reporter_tool.exe
Token: 33	3180	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	3180	software_reporter_tool.exe
Token: SeRestorePrivilege	3160	7zG.exe
Token: 35	3160	7zG.exe
Token: SeSecurityPrivilege	3160	7zG.exe
Token: SeSecurityPrivilege	3160	7zG.exe
Token: SeDebugPrivilege	2540	WerFault.exe
Token: SeDebugPrivilege	1596	SVHOST.EXE
Token: SeDebugPrivilege	428	JAVA_U~1.EXE
Token: SeDebugPrivilege	2660	services.exe
Token: SeDebugPrivilege	592	chrome_update.exe
Token: SeRestorePrivilege	2036	7zG.exe
Token: 35	2036	7zG.exe
Token: SeSecurityPrivilege	2036	7zG.exe
Token: SeSecurityPrivilege	2036	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SVHOST.EXEservices.exe

pid process

1596 SVHOST.EXE
2660 services.exe
2660 services.exe

pid	process
1596	SVHOST.EXE
2660	services.exe
2660	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2620 wrote to memory of 2684	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 2684	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1488	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1488	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 4004	2620	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://anonfiles.com/L8keN1h0xa/ALL_IN_ONE_CHECKER_COLLECTION_zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xac,0xd0,0xd4,0x60,0xd8,0x7ffa20b84f50,0x7ffa20b84f60,0x7ffa20b84f70
2⤵
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1512 /prefetch:2
2⤵
PID:648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1668 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:8
2⤵
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2936 /prefetch:1
2⤵
PID:1364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:1
2⤵
PID:1368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4452 /prefetch:8
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
2⤵
PID:1828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4172 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
2⤵
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3184 /prefetch:8
2⤵
PID:3612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5516 /prefetch:8
2⤵
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:8
2⤵
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3304 /prefetch:8
2⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4796 /prefetch:8
2⤵
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5612 /prefetch:8
2⤵
PID:720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5676 /prefetch:8
2⤵
PID:3232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
2⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
2⤵
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3092 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:8
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4248 /prefetch:8
2⤵
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 /prefetch:8
2⤵
PID:2712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1480 /prefetch:8
2⤵
PID:3684

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=DC2oF51Z4WwL09DjUcrPc3ENEyoqcZjDHMKQ6nEa --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=94.273.200 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff7d4ffc4b8,0x7ff7d4ffc4c8,0x7ff7d4ffc4d8
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1628

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3484_FUWQKJJOIQFDTQYW" --sandboxed-process-id=2 --init-done-notifier=716 --sandbox-mojo-pipe-token=152219493065132145 --mojo-platform-channel-handle=696 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2644

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3484_FUWQKJJOIQFDTQYW" --sandboxed-process-id=3 --init-done-notifier=928 --sandbox-mojo-pipe-token=608455433893982676 --mojo-platform-channel-handle=924
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5640 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5096 /prefetch:8
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5776 /prefetch:8
2⤵
PID:1560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5780 /prefetch:8
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4436 /prefetch:8
2⤵
PID:4016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
PID:1208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5088 /prefetch:8
2⤵
PID:704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2472 /prefetch:8
2⤵
PID:3212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 /prefetch:8
2⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4200 /prefetch:8
2⤵
PID:1564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3640 /prefetch:8
2⤵
PID:3940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
2⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1484 /prefetch:8
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4208 /prefetch:8
2⤵
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4440 /prefetch:8
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
PID:3364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5668 /prefetch:8
2⤵
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3932

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ALL IN ONE CHECKER COLLECTION\" -spe -an -ai#7zMap27014:120:7zEvent26015
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Users\Admin\Downloads\ALL IN ONE CHECKER COLLECTION\[PANDAVPN BRUTER]\[PANDAVPN BRUTER]\PANDAVPN BRUTER.exe.exe
"C:\Users\Admin\Downloads\ALL IN ONE CHECKER COLLECTION\[PANDAVPN BRUTER]\[PANDAVPN BRUTER]\PANDAVPN BRUTER.exe.exe"
1⤵
- Modifies registry class
PID:2400

C:\Users\Admin\AppData\Local\Temp\DIHOST.EXE
"C:\Users\Admin\AppData\Local\Temp\DIHOST.EXE"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3980

C:\Users\Admin\AppData\Local\Temp\JAVA_UPDATE.EXE
"C:\Users\Admin\AppData\Local\Temp\JAVA_UPDATE.EXE"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:1112

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAVA_U~1.EXE"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3220

C:\Users\Admin\AppData\Local\Temp\3582-490\JAVA_U~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\JAVA_U~1.EXE
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome_update" /tr '"C:\Users\Admin\AppData\Roaming\chrome_update.exe"' & exit
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c schtasks /create /f /sc onlogon /rl highest /tn chrome_update /tr '"C:\Users\Admin\AppData\Roaming\chrome_update.exe"' & exit
6⤵
PID:3424

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn chrome_update /tr '"C:\Users\Admin\AppData\Roaming\chrome_update.exe"'
7⤵
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5FCE.tmp.bat""
5⤵
PID:1656

C:\Windows\system32\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:1672

C:\Users\Admin\AppData\Roaming\chrome_update.exe
"C:\Users\Admin\AppData\Roaming\chrome_update.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE
"C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2016

C:\Users\Admin\AppData\Roaming\svhost\services.exe
"C:\Users\Admin\AppData\Roaming\svhost\services.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2660

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svhost\services.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:556

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINCAP.EXE"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1892

C:\Users\Admin\AppData\Local\Temp\WINCAP.EXE
C:\Users\Admin\AppData\Local\Temp\WINCAP.EXE
3⤵
- Executes dropped EXE
PID:2108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\_PANDA~1.EXE"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1612

C:\Users\Admin\AppData\Local\Temp\_PANDA~1.EXE
C:\Users\Admin\AppData\Local\Temp\_PANDA~1.EXE
3⤵
- Executes dropped EXE
PID:3140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3140 -s 664
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ALL IN ONE CHECKER COLLECTION\" -an -ai#7zMap4328:154:7zEvent16455
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\DOWNLO~1\ALLINO~1\_NORDV~1\NORDVP~1.EXE"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3640

C:\Users\Admin\DOWNLO~1\ALLINO~1\_NORDV~1\NORDVP~1.EXE
C:\Users\Admin\DOWNLO~1\ALLINO~1\_NORDV~1\NORDVP~1.EXE
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DIHOST.EXE"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3964

C:\Users\Admin\AppData\Local\Temp\DIHOST.EXE
C:\Users\Admin\AppData\Local\Temp\DIHOST.EXE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2128

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DIHOST.EXE"
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3220

C:\Users\Admin\AppData\Local\Temp\3582-490\DIHOST.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\DIHOST.EXE
6⤵
- Executes dropped EXE
PID:992

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\JAVA_U~1.EXE"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2224

C:\Users\Admin\AppData\Local\Temp\JAVA_U~1.EXE
C:\Users\Admin\AppData\Local\Temp\JAVA_U~1.EXE
4⤵
- Executes dropped EXE
PID:404

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE"
3⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE
C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE
4⤵
PID:3596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINCAP.EXE"
3⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\WINCAP.EXE
C:\Users\Admin\AppData\Local\Temp\WINCAP.EXE
4⤵
PID:1980

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\_NORDV~1.EXE"
3⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\_NORDV~1.EXE
C:\Users\Admin\AppData\Local\Temp\_NORDV~1.EXE
4⤵
PID:3804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3804 -s 664
5⤵
- Program crash
PID:2124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Change Default File Association

T1042

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe
MD5
1146c9225fadf376ac88bd1b8028efdf

SHA1
5a643f6a45a4018dc9d8e98c42fac2370e8b327d

SHA256
bc402b0b28d71967f97794cb389884cb87e59eaadeb9b886d19d84d47b11f15f

SHA512
a4dd4e2562cffc5fd728d1f013f0926870ff302dd8693bd222004ccc2a0024708c7df123b276e9ddbd46ecbacdc3b16b362fc81679a4381155bde8a2fe726bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe
MD5
1146c9225fadf376ac88bd1b8028efdf

SHA1
5a643f6a45a4018dc9d8e98c42fac2370e8b327d

SHA256
bc402b0b28d71967f97794cb389884cb87e59eaadeb9b886d19d84d47b11f15f

SHA512
a4dd4e2562cffc5fd728d1f013f0926870ff302dd8693bd222004ccc2a0024708c7df123b276e9ddbd46ecbacdc3b16b362fc81679a4381155bde8a2fe726bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe
MD5
1146c9225fadf376ac88bd1b8028efdf

SHA1
5a643f6a45a4018dc9d8e98c42fac2370e8b327d

SHA256
bc402b0b28d71967f97794cb389884cb87e59eaadeb9b886d19d84d47b11f15f

SHA512
a4dd4e2562cffc5fd728d1f013f0926870ff302dd8693bd222004ccc2a0024708c7df123b276e9ddbd46ecbacdc3b16b362fc81679a4381155bde8a2fe726bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe
MD5
1146c9225fadf376ac88bd1b8028efdf

SHA1
5a643f6a45a4018dc9d8e98c42fac2370e8b327d

SHA256
bc402b0b28d71967f97794cb389884cb87e59eaadeb9b886d19d84d47b11f15f

SHA512
a4dd4e2562cffc5fd728d1f013f0926870ff302dd8693bd222004ccc2a0024708c7df123b276e9ddbd46ecbacdc3b16b362fc81679a4381155bde8a2fe726bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe
MD5
1146c9225fadf376ac88bd1b8028efdf

SHA1
5a643f6a45a4018dc9d8e98c42fac2370e8b327d

SHA256
bc402b0b28d71967f97794cb389884cb87e59eaadeb9b886d19d84d47b11f15f

SHA512
a4dd4e2562cffc5fd728d1f013f0926870ff302dd8693bd222004ccc2a0024708c7df123b276e9ddbd46ecbacdc3b16b362fc81679a4381155bde8a2fe726bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.log
MD5
834832265a69537533e50e9e506fe09e

SHA1
ca6ea22c72f0893ecc60b647e4b5198c9d2dd2e2

SHA256
28e241bc7f6ee0ce4c644f098d9929c3644349577231d0e3d26347111243f4a5

SHA512
0c575ba338ee22e736f786bf3d00705804dd513071e88842f1120b64aa7f6efe07673766b8619b8492c40b150c47a5253caa2588d71cec8650ee9767d987abea

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
MD5
1df5634938acfafeb87233e622339b7a

SHA1
87b4c3f98554c831bed7b376b06161bd83183304

SHA256
d0d4a4386d8f21e8478cfe3a24e45f791d6e63c8a5639b747641a217b6d2f2e0

SHA512
34a8aa0462323f5eb4eb55f3c9697b5ff0ebaaa9230f960a08fd11ac650567710c510dc51ffc3e6c31be55bc6d284305f3711ea9fb4a232f335829048e759df8

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
MD5
1df5634938acfafeb87233e622339b7a

SHA1
87b4c3f98554c831bed7b376b06161bd83183304

SHA256
d0d4a4386d8f21e8478cfe3a24e45f791d6e63c8a5639b747641a217b6d2f2e0

SHA512
34a8aa0462323f5eb4eb55f3c9697b5ff0ebaaa9230f960a08fd11ac650567710c510dc51ffc3e6c31be55bc6d284305f3711ea9fb4a232f335829048e759df8

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
MD5
1df5634938acfafeb87233e622339b7a

SHA1
87b4c3f98554c831bed7b376b06161bd83183304

SHA256
d0d4a4386d8f21e8478cfe3a24e45f791d6e63c8a5639b747641a217b6d2f2e0

SHA512
34a8aa0462323f5eb4eb55f3c9697b5ff0ebaaa9230f960a08fd11ac650567710c510dc51ffc3e6c31be55bc6d284305f3711ea9fb4a232f335829048e759df8

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\edls_64.dll
MD5
e9a7c44d7bda10b5b7a132d46fcdaf35

SHA1
5217179f094c45ba660777cfa25c7eb00b5c8202

SHA256
35351366369a7774f9f30f38dc8aa3cd5e087acd8eae79e80c24526cd40e95a1

SHA512
e76308eee65bf0bf31e58d754e07b63092a4109ef3d44df7b746da99d44be6112bc5f970123c4e82523b6d301392e09c2cfc490e304550b42d152cdb0757e774

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\em000_64.dll
MD5
d0cf72186dbaea05c5a5bf6594225fc3

SHA1
0e69efd78dc1124122dd8b752be92cb1cbc067a1

SHA256
225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907

SHA512
8122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\em001_64.dll
MD5
d6385decf21bcfec1ab918dc2a4bcfd9

SHA1
aa0a7cc7a68f2653253b0ace7b416b33a289b22e

SHA256
c26081f692c7446a8ef7c9dec932274343faab70427c1861afef260413d79535

SHA512
bbb82176e0d7f8f151e7c7b0812c6897bfacf43f93fd04599380d4f30e2e18e7812628019d7dba5c4b26cbe5a28dc0798c339273e59eee9ee814a66e55d08246

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\em002_64.dll
MD5
cee5ca67b24b6a73874af7e3d0b32596

SHA1
4ef2a968b2b231fcf8624803740128925ee5fbc7

SHA256
69876185b0a313c046310ee7da4b64cab0530727c65d470f8f49b52e4b594e37

SHA512
feb3ec7d787063dcc8a3fcb4cc30e730c3987259909a565370e5b1884f52004111110dd4cc94dc8f77477681e50d243bdec240a444ab5e81a6ae58a9e5d578d6

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\em003_64.dll
MD5
b3db86f0dd0d2430d3b2cb376fdd7486

SHA1
1582644cc7f20df517c4d32e97fc82faddcc4261

SHA256
b7030cde57668f22e2667c816161e42a5fe8fa359dfcb3aa8de52d9e40909110

SHA512
d25d1b27146a7a8cb450501ce87be881a33d7207d2e77be3c8e1d4498453fdf20d8da9d4ab7b15c2db23d0ed1401b2ab9a8c5492d2298c66cfdfec099be994c9

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\em004_64.dll
MD5
6ea6c094314eb467a3bb67adef0b3cde

SHA1
713ce815a19c10c42085059f910b1f8ec44c4841

SHA256
84dff3e124fa0aa4c38f7517b762cf88174331590699601b9d524846da4bb499

SHA512
b211b48bf24e877302617d79dced0685147541097c1c6e373e288ad39391c7cfcb4904cb4a7b8b127b43f9d55dfdd4e54861e8d15e9427c0c28b1e56a1f4ad3d

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\em005_64.dll
MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
\??\pipe\crashpad_2620_ODWMSSDUPFVCKCYE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_3484_FUWQKJJOIQFDTQYW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\edls_64.dll
MD5
e9a7c44d7bda10b5b7a132d46fcdaf35

SHA1
5217179f094c45ba660777cfa25c7eb00b5c8202

SHA256
35351366369a7774f9f30f38dc8aa3cd5e087acd8eae79e80c24526cd40e95a1

SHA512
e76308eee65bf0bf31e58d754e07b63092a4109ef3d44df7b746da99d44be6112bc5f970123c4e82523b6d301392e09c2cfc490e304550b42d152cdb0757e774

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\em000_64.dll
MD5
d0cf72186dbaea05c5a5bf6594225fc3

SHA1
0e69efd78dc1124122dd8b752be92cb1cbc067a1

SHA256
225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907

SHA512
8122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\em001_64.dll
MD5
d6385decf21bcfec1ab918dc2a4bcfd9

SHA1
aa0a7cc7a68f2653253b0ace7b416b33a289b22e

SHA256
c26081f692c7446a8ef7c9dec932274343faab70427c1861afef260413d79535

SHA512
bbb82176e0d7f8f151e7c7b0812c6897bfacf43f93fd04599380d4f30e2e18e7812628019d7dba5c4b26cbe5a28dc0798c339273e59eee9ee814a66e55d08246

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\em002_64.dll
MD5
cee5ca67b24b6a73874af7e3d0b32596

SHA1
4ef2a968b2b231fcf8624803740128925ee5fbc7

SHA256
69876185b0a313c046310ee7da4b64cab0530727c65d470f8f49b52e4b594e37

SHA512
feb3ec7d787063dcc8a3fcb4cc30e730c3987259909a565370e5b1884f52004111110dd4cc94dc8f77477681e50d243bdec240a444ab5e81a6ae58a9e5d578d6

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\em003_64.dll
MD5
b3db86f0dd0d2430d3b2cb376fdd7486

SHA1
1582644cc7f20df517c4d32e97fc82faddcc4261

SHA256
b7030cde57668f22e2667c816161e42a5fe8fa359dfcb3aa8de52d9e40909110

SHA512
d25d1b27146a7a8cb450501ce87be881a33d7207d2e77be3c8e1d4498453fdf20d8da9d4ab7b15c2db23d0ed1401b2ab9a8c5492d2298c66cfdfec099be994c9

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\em004_64.dll
MD5
6ea6c094314eb467a3bb67adef0b3cde

SHA1
713ce815a19c10c42085059f910b1f8ec44c4841

SHA256
84dff3e124fa0aa4c38f7517b762cf88174331590699601b9d524846da4bb499

SHA512
b211b48bf24e877302617d79dced0685147541097c1c6e373e288ad39391c7cfcb4904cb4a7b8b127b43f9d55dfdd4e54861e8d15e9427c0c28b1e56a1f4ad3d

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\em005_64.dll
MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
memory/212-203-0x0000000000000000-mapping.dmp

Download
memory/404-208-0x0000000000040000-0x0000000000052000-memory.dmp

Filesize
72KB

Download
memory/404-210-0x0000000000040000-0x0000000000052000-memory.dmp

Filesize
72KB

Download
memory/404-207-0x0000000000000000-mapping.dmp

Download
memory/404-229-0x0000000000670000-0x0000000000672000-memory.dmp

Filesize
8KB

Download
memory/428-169-0x00000000007F0000-0x0000000000802000-memory.dmp

Filesize
72KB

Download
memory/428-167-0x0000000000000000-mapping.dmp

Download
memory/428-179-0x000000001B460000-0x000000001B462000-memory.dmp

Filesize
8KB

Download
memory/428-170-0x00000000007F0000-0x0000000000802000-memory.dmp

Filesize
72KB

Download
memory/520-220-0x0000000000000000-mapping.dmp

Download
memory/556-199-0x0000000000000000-mapping.dmp

Download
memory/592-188-0x0000000000000000-mapping.dmp

Download
memory/592-189-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/592-190-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/592-198-0x000000001ADC0000-0x000000001ADC2000-memory.dmp

Filesize
8KB

Download
memory/992-231-0x00000000054B0000-0x00000000055BA000-memory.dmp

Filesize
1.0MB

Download
memory/992-216-0x0000000005210000-0x000000000524E000-memory.dmp

Filesize
248KB

Download
memory/992-214-0x0000000005740000-0x0000000005D46000-memory.dmp

Filesize
6.0MB

Download
memory/992-211-0x0000000000000000-mapping.dmp

Download
memory/992-213-0x0000000000990000-0x00000000009AE000-memory.dmp

Filesize
120KB

Download
memory/992-212-0x0000000000990000-0x00000000009AE000-memory.dmp

Filesize
120KB

Download
memory/992-218-0x0000000005250000-0x000000000529B000-memory.dmp

Filesize
300KB

Download
memory/992-227-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/992-215-0x00000000051B0000-0x00000000051C2000-memory.dmp

Filesize
72KB

Download
memory/1112-161-0x0000000000000000-mapping.dmp

Download
memory/1596-181-0x0000000005E80000-0x000000000637E000-memory.dmp

Filesize
5.0MB

Download
memory/1596-180-0x0000000005F10000-0x0000000005F1A000-memory.dmp

Filesize
40KB

Download
memory/1596-177-0x0000000006380000-0x000000000687E000-memory.dmp

Filesize
5.0MB

Download
memory/1596-178-0x0000000005FD0000-0x0000000006062000-memory.dmp

Filesize
584KB

Download
memory/1596-174-0x0000000000A10000-0x0000000000DFA000-memory.dmp

Filesize
3.9MB

Download
memory/1596-162-0x0000000000000000-mapping.dmp

Download
memory/1596-173-0x0000000000A10000-0x0000000000DFA000-memory.dmp

Filesize
3.9MB

Download
memory/1612-166-0x0000000000000000-mapping.dmp

Download
memory/1628-122-0x000002184ED70000-0x000002184ED72000-memory.dmp

Filesize
8KB

Download
memory/1628-123-0x000002184ED70000-0x000002184ED72000-memory.dmp

Filesize
8KB

Download
memory/1628-120-0x0000000000000000-mapping.dmp

Download
memory/1656-184-0x0000000000000000-mapping.dmp

Download
memory/1672-185-0x0000000000000000-mapping.dmp

Download
memory/1892-163-0x0000000000000000-mapping.dmp

Download
memory/1980-221-0x0000000000000000-mapping.dmp

Download
memory/1980-236-0x0000000000180000-0x00000000001CC000-memory.dmp

Filesize
304KB

Download
memory/2016-187-0x0000000000000000-mapping.dmp

Download
memory/2052-222-0x0000000000000000-mapping.dmp

Download
memory/2084-182-0x0000000000000000-mapping.dmp

Download
memory/2108-175-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download
memory/2108-176-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/2108-164-0x0000000000000000-mapping.dmp

Download
memory/2128-205-0x0000000000000000-mapping.dmp

Download
memory/2224-206-0x0000000000000000-mapping.dmp

Download
memory/2644-129-0x000001FA75CD0000-0x000001FA75CD2000-memory.dmp

Filesize
8KB

Download
memory/2644-126-0x0000000000000000-mapping.dmp

Download
memory/2644-125-0x000001FA75D40000-0x000001FA75D41000-memory.dmp

Filesize
4KB

Download
memory/2644-159-0x000001FA75E80000-0x000001FA75EC0000-memory.dmp

Filesize
256KB

Download
memory/2644-158-0x000001FA75E80000-0x000001FA75E81000-memory.dmp

Filesize
4KB

Download
memory/2644-131-0x00007FFA2E940000-0x00007FFA2E941000-memory.dmp

Filesize
4KB

Download
memory/2644-128-0x000001FA75CD0000-0x000001FA75CD2000-memory.dmp

Filesize
8KB

Download
memory/2644-130-0x00007FFA2E4D0000-0x00007FFA2E4D1000-memory.dmp

Filesize
4KB

Download
memory/2660-193-0x0000000001290000-0x000000000167A000-memory.dmp

Filesize
3.9MB

Download
memory/2660-200-0x0000000007C50000-0x0000000008256000-memory.dmp

Filesize
6.0MB

Download
memory/2660-201-0x0000000007710000-0x0000000007760000-memory.dmp

Filesize
320KB

Download
memory/2660-202-0x0000000007960000-0x0000000007A12000-memory.dmp

Filesize
712KB

Download
memory/2660-197-0x0000000006900000-0x0000000006DFE000-memory.dmp

Filesize
5.0MB

Download
memory/2660-196-0x0000000006910000-0x000000000691A000-memory.dmp

Filesize
40KB

Download
memory/2660-195-0x0000000006A30000-0x0000000006AC2000-memory.dmp

Filesize
584KB

Download
memory/2660-194-0x0000000006E00000-0x00000000072FE000-memory.dmp

Filesize
5.0MB

Download
memory/2660-192-0x0000000001290000-0x000000000167A000-memory.dmp

Filesize
3.9MB

Download
memory/2660-191-0x0000000000000000-mapping.dmp

Download
memory/3140-168-0x0000000000000000-mapping.dmp

Download
memory/3140-172-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/3140-171-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/3180-150-0x000001673BDE0000-0x000001673BDE2000-memory.dmp

Filesize
8KB

Download
memory/3180-149-0x000001673BDE0000-0x000001673BDE2000-memory.dmp

Filesize
8KB

Download
memory/3180-147-0x0000000000000000-mapping.dmp

Download
memory/3180-146-0x000001673BE54000-0x000001673BE55000-memory.dmp

Filesize
4KB

Download
memory/3220-209-0x0000000000000000-mapping.dmp

Download
memory/3220-165-0x0000000000000000-mapping.dmp

Download
memory/3424-183-0x0000000000000000-mapping.dmp

Download
memory/3484-116-0x0000000000000000-mapping.dmp

Download
memory/3484-119-0x0000025DD8280000-0x0000025DD8282000-memory.dmp

Filesize
8KB

Download
memory/3484-118-0x0000025DD8280000-0x0000025DD8282000-memory.dmp

Filesize
8KB

Download
memory/3584-186-0x0000000000000000-mapping.dmp

Download
memory/3596-228-0x0000000005C60000-0x0000000005CF2000-memory.dmp

Filesize
584KB

Download
memory/3596-224-0x0000000000A10000-0x0000000000DFA000-memory.dmp

Filesize
3.9MB

Download
memory/3596-225-0x0000000000A10000-0x0000000000DFA000-memory.dmp

Filesize
3.9MB

Download
memory/3596-226-0x0000000006080000-0x000000000657E000-memory.dmp

Filesize
5.0MB

Download
memory/3596-219-0x0000000000000000-mapping.dmp

Download
memory/3596-233-0x00000000039C0000-0x00000000039C1000-memory.dmp

Filesize
4KB

Download
memory/3596-234-0x0000000005C20000-0x0000000005C2A000-memory.dmp

Filesize
40KB

Download
memory/3804-223-0x0000000000000000-mapping.dmp

Download
memory/3804-230-0x0000000000F40000-0x0000000000F4A000-memory.dmp

Filesize
40KB

Download
memory/3804-232-0x0000000000F40000-0x0000000000F4A000-memory.dmp

Filesize
40KB

Download
memory/3964-204-0x0000000000000000-mapping.dmp

Download
memory/3980-160-0x0000000000000000-mapping.dmp

Download
memory/4092-217-0x0000000000000000-mapping.dmp

Download