Analysis
-
max time kernel
1394s -
max time network
1398s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-12-2021 09:08
Static task
static1
URLScan task
urlscan1
Sample
https://anonfiles.com/L8keN1h0xa/ALL_IN_ONE_CHECKER_COLLECTION_zip
General
Malware Config
Extracted
asyncrat
1.0.7
s33s4w
null:null
DcRatMutex_qwqdanchun
-
anti_vm
false
-
bsod
false
-
delay
1
-
install
true
-
install_file
chrome_update.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/REMiDqQN
Extracted
quasar
1.4.0
THJAY
s33s4wqsr-31933.portmap.host:31933
a1b1a69b-ba25-4578-8f5a-44cdff71e285
-
encryption_key
2138DB726B457D142BA520FA40476B7B3909D03A
-
install_name
services.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
svhost
Extracted
cobaltstrike
305419896
http://rerddrrdrd-45837.portmap.host:45837/dpixel
-
access_type
512
-
host
rerddrrdrd-45837.portmap.host,/dpixel
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
45837
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCA+o3FnsObc9SVI8ZAwc36u7DwsV6UPyQpwMNghiyTj7R0UjoBFvLqcYd/JCGPyFzZWQF80PmH7EQ6cxpNKaeo/hMS0u2s6Kc2UV0SDI97XgAIt0A+41EUNTZ/IjxHTsLAkTwd7ebBEktQidwq7D7zfOJACaWQ70uDmPUudcHy7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
-
watermark
305419896
Extracted
cobaltstrike
0
-
watermark
0
Extracted
redline
cheat
s33s4wredline-50318.portmap.host:50318
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
DIHOST.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" DIHOST.EXE -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Quasar Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1596-173-0x0000000000A10000-0x0000000000DFA000-memory.dmp family_quasar behavioral1/memory/1596-174-0x0000000000A10000-0x0000000000DFA000-memory.dmp family_quasar behavioral1/memory/2660-193-0x0000000001290000-0x000000000167A000-memory.dmp family_quasar behavioral1/memory/2660-192-0x0000000001290000-0x000000000167A000-memory.dmp family_quasar behavioral1/memory/3596-224-0x0000000000A10000-0x0000000000DFA000-memory.dmp family_quasar behavioral1/memory/3596-225-0x0000000000A10000-0x0000000000DFA000-memory.dmp family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/992-212-0x0000000000990000-0x00000000009AE000-memory.dmp family_redline behavioral1/memory/992-213-0x0000000000990000-0x00000000009AE000-memory.dmp family_redline -
Async RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/428-169-0x00000000007F0000-0x0000000000802000-memory.dmp asyncrat behavioral1/memory/428-170-0x00000000007F0000-0x0000000000802000-memory.dmp asyncrat behavioral1/memory/592-189-0x0000000000230000-0x0000000000242000-memory.dmp asyncrat behavioral1/memory/592-190-0x0000000000230000-0x0000000000242000-memory.dmp asyncrat behavioral1/memory/404-210-0x0000000000040000-0x0000000000052000-memory.dmp asyncrat behavioral1/memory/404-208-0x0000000000040000-0x0000000000052000-memory.dmp asyncrat -
Executes dropped EXE 24 IoCs
Processes:
software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exeDIHOST.EXEJAVA_UPDATE.EXESVHOST.EXEsvchost.comWINCAP.EXEsvchost.comsvchost.comJAVA_U~1.EXE_PANDA~1.EXEsvchost.comchrome_update.exeservices.exesvchost.comNORDVP~1.EXEsvchost.comDIHOST.EXEsvchost.comJAVA_U~1.EXEsvchost.comDIHOST.EXEpid process 3484 software_reporter_tool.exe 1628 software_reporter_tool.exe 2644 software_reporter_tool.exe 3180 software_reporter_tool.exe 3980 DIHOST.EXE 1112 JAVA_UPDATE.EXE 1596 SVHOST.EXE 1892 svchost.com 2108 WINCAP.EXE 1612 svchost.com 3220 svchost.com 428 JAVA_U~1.EXE 3140 _PANDA~1.EXE 2084 svchost.com 592 chrome_update.exe 2660 services.exe 3640 svchost.com 212 NORDVP~1.EXE 3964 svchost.com 2128 DIHOST.EXE 2224 svchost.com 404 JAVA_U~1.EXE 3220 svchost.com 992 DIHOST.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NORDVP~1.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation NORDVP~1.EXE -
Loads dropped DLL 7 IoCs
Processes:
software_reporter_tool.exepid process 2644 software_reporter_tool.exe 2644 software_reporter_tool.exe 2644 software_reporter_tool.exe 2644 software_reporter_tool.exe 2644 software_reporter_tool.exe 2644 software_reporter_tool.exe 2644 software_reporter_tool.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
SVHOST.EXEservices.exepid process 1596 SVHOST.EXE 1596 SVHOST.EXE 2660 services.exe 2660 services.exe 2660 services.exe 2660 services.exe 2660 services.exe 2660 services.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.comDIHOST.EXEdescription ioc process File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe svchost.com File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE DIHOST.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe DIHOST.EXE File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE DIHOST.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe DIHOST.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe DIHOST.EXE File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe DIHOST.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE DIHOST.EXE File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe DIHOST.EXE File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe DIHOST.EXE File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE DIHOST.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe DIHOST.EXE File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE DIHOST.EXE File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe DIHOST.EXE File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE DIHOST.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE DIHOST.EXE File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe DIHOST.EXE File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe DIHOST.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE DIHOST.EXE File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE DIHOST.EXE File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE DIHOST.EXE File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe DIHOST.EXE File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe svchost.com File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE DIHOST.EXE File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE DIHOST.EXE File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE DIHOST.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe DIHOST.EXE File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe DIHOST.EXE File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE DIHOST.EXE File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe DIHOST.EXE File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe DIHOST.EXE File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE DIHOST.EXE File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe DIHOST.EXE File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe DIHOST.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE DIHOST.EXE File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE DIHOST.EXE -
Drops file in Windows directory 19 IoCs
Processes:
svchost.comsvchost.comsvchost.comsvchost.comDIHOST.EXEsvchost.comsvchost.comJAVA_UPDATE.EXEDIHOST.EXEsvchost.comsvchost.comdescription ioc process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys DIHOST.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys JAVA_UPDATE.EXE File opened for modification C:\Windows\svchost.com JAVA_UPDATE.EXE File opened for modification C:\Windows\svchost.com DIHOST.EXE File opened for modification C:\Windows\svchost.com DIHOST.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2540 3140 WerFault.exe _PANDA~1.EXE 2124 3804 WerFault.exe _NORDV~1.EXE -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3584 schtasks.exe 2016 schtasks.exe 556 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1672 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies registry class 8 IoCs
Processes:
DIHOST.EXEPANDAVPN BRUTER.exe.exeJAVA_UPDATE.EXEJAVA_U~1.EXENORDVP~1.EXEDIHOST.EXEchrome.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" DIHOST.EXE Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings PANDAVPN BRUTER.exe.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings JAVA_UPDATE.EXE Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings JAVA_U~1.EXE Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings NORDVP~1.EXE Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings DIHOST.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance NORDVP~1.EXE Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings chrome.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesoftware_reporter_tool.exechrome.exechrome.exechrome.exeWerFault.exeJAVA_U~1.EXEpid process 1488 chrome.exe 1488 chrome.exe 2620 chrome.exe 2620 chrome.exe 4064 chrome.exe 4064 chrome.exe 2176 chrome.exe 2176 chrome.exe 608 chrome.exe 608 chrome.exe 2072 chrome.exe 2072 chrome.exe 1112 chrome.exe 1112 chrome.exe 3160 chrome.exe 3160 chrome.exe 3484 software_reporter_tool.exe 3484 software_reporter_tool.exe 384 chrome.exe 384 chrome.exe 384 chrome.exe 384 chrome.exe 3480 chrome.exe 3480 chrome.exe 2520 chrome.exe 2520 chrome.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 428 JAVA_U~1.EXE 428 JAVA_U~1.EXE 428 JAVA_U~1.EXE 428 JAVA_U~1.EXE 428 JAVA_U~1.EXE 428 JAVA_U~1.EXE 428 JAVA_U~1.EXE 428 JAVA_U~1.EXE 428 JAVA_U~1.EXE 428 JAVA_U~1.EXE 428 JAVA_U~1.EXE 428 JAVA_U~1.EXE 428 JAVA_U~1.EXE -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
chrome.exepid process 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe7zG.exeWerFault.exeSVHOST.EXEJAVA_U~1.EXEservices.exechrome_update.exe7zG.exedescription pid process Token: 33 1628 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 1628 software_reporter_tool.exe Token: 33 3484 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 3484 software_reporter_tool.exe Token: 33 2644 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 2644 software_reporter_tool.exe Token: 33 3180 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 3180 software_reporter_tool.exe Token: SeRestorePrivilege 3160 7zG.exe Token: 35 3160 7zG.exe Token: SeSecurityPrivilege 3160 7zG.exe Token: SeSecurityPrivilege 3160 7zG.exe Token: SeDebugPrivilege 2540 WerFault.exe Token: SeDebugPrivilege 1596 SVHOST.EXE Token: SeDebugPrivilege 428 JAVA_U~1.EXE Token: SeDebugPrivilege 2660 services.exe Token: SeDebugPrivilege 592 chrome_update.exe Token: SeRestorePrivilege 2036 7zG.exe Token: 35 2036 7zG.exe Token: SeSecurityPrivilege 2036 7zG.exe Token: SeSecurityPrivilege 2036 7zG.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exepid process 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
chrome.exepid process 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe 2620 chrome.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
SVHOST.EXEservices.exepid process 1596 SVHOST.EXE 2660 services.exe 2660 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2620 wrote to memory of 2684 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 2684 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 648 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 1488 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 1488 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe PID 2620 wrote to memory of 4004 2620 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://anonfiles.com/L8keN1h0xa/ALL_IN_ONE_CHECKER_COLLECTION_zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xac,0xd0,0xd4,0x60,0xd8,0x7ffa20b84f50,0x7ffa20b84f60,0x7ffa20b84f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1512 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1668 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2936 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4452 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4172 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3184 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5516 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3304 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4796 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5612 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5676 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3092 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4248 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1480 /prefetch:82⤵
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=DC2oF51Z4WwL09DjUcrPc3ENEyoqcZjDHMKQ6nEa --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=94.273.200 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff7d4ffc4b8,0x7ff7d4ffc4c8,0x7ff7d4ffc4d83⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3484_FUWQKJJOIQFDTQYW" --sandboxed-process-id=2 --init-done-notifier=716 --sandbox-mojo-pipe-token=152219493065132145 --mojo-platform-channel-handle=696 --engine=23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3484_FUWQKJJOIQFDTQYW" --sandboxed-process-id=3 --init-done-notifier=928 --sandbox-mojo-pipe-token=608455433893982676 --mojo-platform-channel-handle=9243⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5640 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5096 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5776 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5780 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4436 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5392 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5088 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2472 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4200 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3640 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1484 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4208 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4440 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5392 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5668 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,12576577566407924818,214862865687000202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ALL IN ONE CHECKER COLLECTION\" -spe -an -ai#7zMap27014:120:7zEvent260151⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\ALL IN ONE CHECKER COLLECTION\[PANDAVPN BRUTER]\[PANDAVPN BRUTER]\PANDAVPN BRUTER.exe.exe"C:\Users\Admin\Downloads\ALL IN ONE CHECKER COLLECTION\[PANDAVPN BRUTER]\[PANDAVPN BRUTER]\PANDAVPN BRUTER.exe.exe"1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\DIHOST.EXE"C:\Users\Admin\AppData\Local\Temp\DIHOST.EXE"2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\JAVA_UPDATE.EXE"C:\Users\Admin\AppData\Local\Temp\JAVA_UPDATE.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\JAVA_U~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\JAVA_U~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\JAVA_U~1.EXE4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome_update" /tr '"C:\Users\Admin\AppData\Roaming\chrome_update.exe"' & exit5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c schtasks /create /f /sc onlogon /rl highest /tn chrome_update /tr '"C:\Users\Admin\AppData\Roaming\chrome_update.exe"' & exit6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn chrome_update /tr '"C:\Users\Admin\AppData\Roaming\chrome_update.exe"'7⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5FCE.tmp.bat""5⤵
-
C:\Windows\system32\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\chrome_update.exe"C:\Users\Admin\AppData\Roaming\chrome_update.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE"C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\svhost\services.exe"C:\Users\Admin\AppData\Roaming\svhost\services.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svhost\services.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINCAP.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\WINCAP.EXEC:\Users\Admin\AppData\Local\Temp\WINCAP.EXE3⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\_PANDA~1.EXE"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\_PANDA~1.EXEC:\Users\Admin\AppData\Local\Temp\_PANDA~1.EXE3⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3140 -s 6644⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ALL IN ONE CHECKER COLLECTION\" -an -ai#7zMap4328:154:7zEvent164551⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\DOWNLO~1\ALLINO~1\_NORDV~1\NORDVP~1.EXE"1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\DOWNLO~1\ALLINO~1\_NORDV~1\NORDVP~1.EXEC:\Users\Admin\DOWNLO~1\ALLINO~1\_NORDV~1\NORDVP~1.EXE2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DIHOST.EXE"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\DIHOST.EXEC:\Users\Admin\AppData\Local\Temp\DIHOST.EXE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DIHOST.EXE"5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DIHOST.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DIHOST.EXE6⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\JAVA_U~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\JAVA_U~1.EXEC:\Users\Admin\AppData\Local\Temp\JAVA_U~1.EXE4⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\SVHOST.EXEC:\Users\Admin\AppData\Local\Temp\SVHOST.EXE4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINCAP.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\WINCAP.EXEC:\Users\Admin\AppData\Local\Temp\WINCAP.EXE4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\_NORDV~1.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\_NORDV~1.EXEC:\Users\Admin\AppData\Local\Temp\_NORDV~1.EXE4⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3804 -s 6645⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exeMD5
1146c9225fadf376ac88bd1b8028efdf
SHA15a643f6a45a4018dc9d8e98c42fac2370e8b327d
SHA256bc402b0b28d71967f97794cb389884cb87e59eaadeb9b886d19d84d47b11f15f
SHA512a4dd4e2562cffc5fd728d1f013f0926870ff302dd8693bd222004ccc2a0024708c7df123b276e9ddbd46ecbacdc3b16b362fc81679a4381155bde8a2fe726bac
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exeMD5
1146c9225fadf376ac88bd1b8028efdf
SHA15a643f6a45a4018dc9d8e98c42fac2370e8b327d
SHA256bc402b0b28d71967f97794cb389884cb87e59eaadeb9b886d19d84d47b11f15f
SHA512a4dd4e2562cffc5fd728d1f013f0926870ff302dd8693bd222004ccc2a0024708c7df123b276e9ddbd46ecbacdc3b16b362fc81679a4381155bde8a2fe726bac
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exeMD5
1146c9225fadf376ac88bd1b8028efdf
SHA15a643f6a45a4018dc9d8e98c42fac2370e8b327d
SHA256bc402b0b28d71967f97794cb389884cb87e59eaadeb9b886d19d84d47b11f15f
SHA512a4dd4e2562cffc5fd728d1f013f0926870ff302dd8693bd222004ccc2a0024708c7df123b276e9ddbd46ecbacdc3b16b362fc81679a4381155bde8a2fe726bac
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exeMD5
1146c9225fadf376ac88bd1b8028efdf
SHA15a643f6a45a4018dc9d8e98c42fac2370e8b327d
SHA256bc402b0b28d71967f97794cb389884cb87e59eaadeb9b886d19d84d47b11f15f
SHA512a4dd4e2562cffc5fd728d1f013f0926870ff302dd8693bd222004ccc2a0024708c7df123b276e9ddbd46ecbacdc3b16b362fc81679a4381155bde8a2fe726bac
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exeMD5
1146c9225fadf376ac88bd1b8028efdf
SHA15a643f6a45a4018dc9d8e98c42fac2370e8b327d
SHA256bc402b0b28d71967f97794cb389884cb87e59eaadeb9b886d19d84d47b11f15f
SHA512a4dd4e2562cffc5fd728d1f013f0926870ff302dd8693bd222004ccc2a0024708c7df123b276e9ddbd46ecbacdc3b16b362fc81679a4381155bde8a2fe726bac
-
C:\Users\Admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.logMD5
834832265a69537533e50e9e506fe09e
SHA1ca6ea22c72f0893ecc60b647e4b5198c9d2dd2e2
SHA25628e241bc7f6ee0ce4c644f098d9929c3644349577231d0e3d26347111243f4a5
SHA5120c575ba338ee22e736f786bf3d00705804dd513071e88842f1120b64aa7f6efe07673766b8619b8492c40b150c47a5253caa2588d71cec8650ee9767d987abea
-
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.datMD5
1df5634938acfafeb87233e622339b7a
SHA187b4c3f98554c831bed7b376b06161bd83183304
SHA256d0d4a4386d8f21e8478cfe3a24e45f791d6e63c8a5639b747641a217b6d2f2e0
SHA51234a8aa0462323f5eb4eb55f3c9697b5ff0ebaaa9230f960a08fd11ac650567710c510dc51ffc3e6c31be55bc6d284305f3711ea9fb4a232f335829048e759df8
-
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.datMD5
1df5634938acfafeb87233e622339b7a
SHA187b4c3f98554c831bed7b376b06161bd83183304
SHA256d0d4a4386d8f21e8478cfe3a24e45f791d6e63c8a5639b747641a217b6d2f2e0
SHA51234a8aa0462323f5eb4eb55f3c9697b5ff0ebaaa9230f960a08fd11ac650567710c510dc51ffc3e6c31be55bc6d284305f3711ea9fb4a232f335829048e759df8
-
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.datMD5
1df5634938acfafeb87233e622339b7a
SHA187b4c3f98554c831bed7b376b06161bd83183304
SHA256d0d4a4386d8f21e8478cfe3a24e45f791d6e63c8a5639b747641a217b6d2f2e0
SHA51234a8aa0462323f5eb4eb55f3c9697b5ff0ebaaa9230f960a08fd11ac650567710c510dc51ffc3e6c31be55bc6d284305f3711ea9fb4a232f335829048e759df8
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\edls_64.dllMD5
e9a7c44d7bda10b5b7a132d46fcdaf35
SHA15217179f094c45ba660777cfa25c7eb00b5c8202
SHA25635351366369a7774f9f30f38dc8aa3cd5e087acd8eae79e80c24526cd40e95a1
SHA512e76308eee65bf0bf31e58d754e07b63092a4109ef3d44df7b746da99d44be6112bc5f970123c4e82523b6d301392e09c2cfc490e304550b42d152cdb0757e774
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\em000_64.dllMD5
d0cf72186dbaea05c5a5bf6594225fc3
SHA10e69efd78dc1124122dd8b752be92cb1cbc067a1
SHA256225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907
SHA5128122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\em001_64.dllMD5
d6385decf21bcfec1ab918dc2a4bcfd9
SHA1aa0a7cc7a68f2653253b0ace7b416b33a289b22e
SHA256c26081f692c7446a8ef7c9dec932274343faab70427c1861afef260413d79535
SHA512bbb82176e0d7f8f151e7c7b0812c6897bfacf43f93fd04599380d4f30e2e18e7812628019d7dba5c4b26cbe5a28dc0798c339273e59eee9ee814a66e55d08246
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\em002_64.dllMD5
cee5ca67b24b6a73874af7e3d0b32596
SHA14ef2a968b2b231fcf8624803740128925ee5fbc7
SHA25669876185b0a313c046310ee7da4b64cab0530727c65d470f8f49b52e4b594e37
SHA512feb3ec7d787063dcc8a3fcb4cc30e730c3987259909a565370e5b1884f52004111110dd4cc94dc8f77477681e50d243bdec240a444ab5e81a6ae58a9e5d578d6
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\em003_64.dllMD5
b3db86f0dd0d2430d3b2cb376fdd7486
SHA11582644cc7f20df517c4d32e97fc82faddcc4261
SHA256b7030cde57668f22e2667c816161e42a5fe8fa359dfcb3aa8de52d9e40909110
SHA512d25d1b27146a7a8cb450501ce87be881a33d7207d2e77be3c8e1d4498453fdf20d8da9d4ab7b15c2db23d0ed1401b2ab9a8c5492d2298c66cfdfec099be994c9
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\em004_64.dllMD5
6ea6c094314eb467a3bb67adef0b3cde
SHA1713ce815a19c10c42085059f910b1f8ec44c4841
SHA25684dff3e124fa0aa4c38f7517b762cf88174331590699601b9d524846da4bb499
SHA512b211b48bf24e877302617d79dced0685147541097c1c6e373e288ad39391c7cfcb4904cb4a7b8b127b43f9d55dfdd4e54861e8d15e9427c0c28b1e56a1f4ad3d
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\em005_64.dllMD5
169a2ef320119891cf3189aa3fd23b0e
SHA1de51c936101ef79bbc0f1d3c800cf832d221eef8
SHA2561072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780
SHA5127fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca
-
\??\pipe\crashpad_2620_ODWMSSDUPFVCKCYEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_3484_FUWQKJJOIQFDTQYWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\edls_64.dllMD5
e9a7c44d7bda10b5b7a132d46fcdaf35
SHA15217179f094c45ba660777cfa25c7eb00b5c8202
SHA25635351366369a7774f9f30f38dc8aa3cd5e087acd8eae79e80c24526cd40e95a1
SHA512e76308eee65bf0bf31e58d754e07b63092a4109ef3d44df7b746da99d44be6112bc5f970123c4e82523b6d301392e09c2cfc490e304550b42d152cdb0757e774
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\em000_64.dllMD5
d0cf72186dbaea05c5a5bf6594225fc3
SHA10e69efd78dc1124122dd8b752be92cb1cbc067a1
SHA256225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907
SHA5128122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\em001_64.dllMD5
d6385decf21bcfec1ab918dc2a4bcfd9
SHA1aa0a7cc7a68f2653253b0ace7b416b33a289b22e
SHA256c26081f692c7446a8ef7c9dec932274343faab70427c1861afef260413d79535
SHA512bbb82176e0d7f8f151e7c7b0812c6897bfacf43f93fd04599380d4f30e2e18e7812628019d7dba5c4b26cbe5a28dc0798c339273e59eee9ee814a66e55d08246
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\em002_64.dllMD5
cee5ca67b24b6a73874af7e3d0b32596
SHA14ef2a968b2b231fcf8624803740128925ee5fbc7
SHA25669876185b0a313c046310ee7da4b64cab0530727c65d470f8f49b52e4b594e37
SHA512feb3ec7d787063dcc8a3fcb4cc30e730c3987259909a565370e5b1884f52004111110dd4cc94dc8f77477681e50d243bdec240a444ab5e81a6ae58a9e5d578d6
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\em003_64.dllMD5
b3db86f0dd0d2430d3b2cb376fdd7486
SHA11582644cc7f20df517c4d32e97fc82faddcc4261
SHA256b7030cde57668f22e2667c816161e42a5fe8fa359dfcb3aa8de52d9e40909110
SHA512d25d1b27146a7a8cb450501ce87be881a33d7207d2e77be3c8e1d4498453fdf20d8da9d4ab7b15c2db23d0ed1401b2ab9a8c5492d2298c66cfdfec099be994c9
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\em004_64.dllMD5
6ea6c094314eb467a3bb67adef0b3cde
SHA1713ce815a19c10c42085059f910b1f8ec44c4841
SHA25684dff3e124fa0aa4c38f7517b762cf88174331590699601b9d524846da4bb499
SHA512b211b48bf24e877302617d79dced0685147541097c1c6e373e288ad39391c7cfcb4904cb4a7b8b127b43f9d55dfdd4e54861e8d15e9427c0c28b1e56a1f4ad3d
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\em005_64.dllMD5
169a2ef320119891cf3189aa3fd23b0e
SHA1de51c936101ef79bbc0f1d3c800cf832d221eef8
SHA2561072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780
SHA5127fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca
-
memory/212-203-0x0000000000000000-mapping.dmp
-
memory/404-208-0x0000000000040000-0x0000000000052000-memory.dmpFilesize
72KB
-
memory/404-210-0x0000000000040000-0x0000000000052000-memory.dmpFilesize
72KB
-
memory/404-207-0x0000000000000000-mapping.dmp
-
memory/404-229-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/428-169-0x00000000007F0000-0x0000000000802000-memory.dmpFilesize
72KB
-
memory/428-167-0x0000000000000000-mapping.dmp
-
memory/428-179-0x000000001B460000-0x000000001B462000-memory.dmpFilesize
8KB
-
memory/428-170-0x00000000007F0000-0x0000000000802000-memory.dmpFilesize
72KB
-
memory/520-220-0x0000000000000000-mapping.dmp
-
memory/556-199-0x0000000000000000-mapping.dmp
-
memory/592-188-0x0000000000000000-mapping.dmp
-
memory/592-189-0x0000000000230000-0x0000000000242000-memory.dmpFilesize
72KB
-
memory/592-190-0x0000000000230000-0x0000000000242000-memory.dmpFilesize
72KB
-
memory/592-198-0x000000001ADC0000-0x000000001ADC2000-memory.dmpFilesize
8KB
-
memory/992-231-0x00000000054B0000-0x00000000055BA000-memory.dmpFilesize
1.0MB
-
memory/992-216-0x0000000005210000-0x000000000524E000-memory.dmpFilesize
248KB
-
memory/992-214-0x0000000005740000-0x0000000005D46000-memory.dmpFilesize
6.0MB
-
memory/992-211-0x0000000000000000-mapping.dmp
-
memory/992-213-0x0000000000990000-0x00000000009AE000-memory.dmpFilesize
120KB
-
memory/992-212-0x0000000000990000-0x00000000009AE000-memory.dmpFilesize
120KB
-
memory/992-218-0x0000000005250000-0x000000000529B000-memory.dmpFilesize
300KB
-
memory/992-227-0x0000000002BC0000-0x0000000002BC1000-memory.dmpFilesize
4KB
-
memory/992-215-0x00000000051B0000-0x00000000051C2000-memory.dmpFilesize
72KB
-
memory/1112-161-0x0000000000000000-mapping.dmp
-
memory/1596-181-0x0000000005E80000-0x000000000637E000-memory.dmpFilesize
5.0MB
-
memory/1596-180-0x0000000005F10000-0x0000000005F1A000-memory.dmpFilesize
40KB
-
memory/1596-177-0x0000000006380000-0x000000000687E000-memory.dmpFilesize
5.0MB
-
memory/1596-178-0x0000000005FD0000-0x0000000006062000-memory.dmpFilesize
584KB
-
memory/1596-174-0x0000000000A10000-0x0000000000DFA000-memory.dmpFilesize
3.9MB
-
memory/1596-162-0x0000000000000000-mapping.dmp
-
memory/1596-173-0x0000000000A10000-0x0000000000DFA000-memory.dmpFilesize
3.9MB
-
memory/1612-166-0x0000000000000000-mapping.dmp
-
memory/1628-122-0x000002184ED70000-0x000002184ED72000-memory.dmpFilesize
8KB
-
memory/1628-123-0x000002184ED70000-0x000002184ED72000-memory.dmpFilesize
8KB
-
memory/1628-120-0x0000000000000000-mapping.dmp
-
memory/1656-184-0x0000000000000000-mapping.dmp
-
memory/1672-185-0x0000000000000000-mapping.dmp
-
memory/1892-163-0x0000000000000000-mapping.dmp
-
memory/1980-221-0x0000000000000000-mapping.dmp
-
memory/1980-236-0x0000000000180000-0x00000000001CC000-memory.dmpFilesize
304KB
-
memory/2016-187-0x0000000000000000-mapping.dmp
-
memory/2052-222-0x0000000000000000-mapping.dmp
-
memory/2084-182-0x0000000000000000-mapping.dmp
-
memory/2108-175-0x0000000000170000-0x00000000001B0000-memory.dmpFilesize
256KB
-
memory/2108-176-0x00000000001B0000-0x00000000001FC000-memory.dmpFilesize
304KB
-
memory/2108-164-0x0000000000000000-mapping.dmp
-
memory/2128-205-0x0000000000000000-mapping.dmp
-
memory/2224-206-0x0000000000000000-mapping.dmp
-
memory/2644-129-0x000001FA75CD0000-0x000001FA75CD2000-memory.dmpFilesize
8KB
-
memory/2644-126-0x0000000000000000-mapping.dmp
-
memory/2644-125-0x000001FA75D40000-0x000001FA75D41000-memory.dmpFilesize
4KB
-
memory/2644-159-0x000001FA75E80000-0x000001FA75EC0000-memory.dmpFilesize
256KB
-
memory/2644-158-0x000001FA75E80000-0x000001FA75E81000-memory.dmpFilesize
4KB
-
memory/2644-131-0x00007FFA2E940000-0x00007FFA2E941000-memory.dmpFilesize
4KB
-
memory/2644-128-0x000001FA75CD0000-0x000001FA75CD2000-memory.dmpFilesize
8KB
-
memory/2644-130-0x00007FFA2E4D0000-0x00007FFA2E4D1000-memory.dmpFilesize
4KB
-
memory/2660-193-0x0000000001290000-0x000000000167A000-memory.dmpFilesize
3.9MB
-
memory/2660-200-0x0000000007C50000-0x0000000008256000-memory.dmpFilesize
6.0MB
-
memory/2660-201-0x0000000007710000-0x0000000007760000-memory.dmpFilesize
320KB
-
memory/2660-202-0x0000000007960000-0x0000000007A12000-memory.dmpFilesize
712KB
-
memory/2660-197-0x0000000006900000-0x0000000006DFE000-memory.dmpFilesize
5.0MB
-
memory/2660-196-0x0000000006910000-0x000000000691A000-memory.dmpFilesize
40KB
-
memory/2660-195-0x0000000006A30000-0x0000000006AC2000-memory.dmpFilesize
584KB
-
memory/2660-194-0x0000000006E00000-0x00000000072FE000-memory.dmpFilesize
5.0MB
-
memory/2660-192-0x0000000001290000-0x000000000167A000-memory.dmpFilesize
3.9MB
-
memory/2660-191-0x0000000000000000-mapping.dmp
-
memory/3140-168-0x0000000000000000-mapping.dmp
-
memory/3140-172-0x0000000000160000-0x000000000016A000-memory.dmpFilesize
40KB
-
memory/3140-171-0x0000000000160000-0x000000000016A000-memory.dmpFilesize
40KB
-
memory/3180-150-0x000001673BDE0000-0x000001673BDE2000-memory.dmpFilesize
8KB
-
memory/3180-149-0x000001673BDE0000-0x000001673BDE2000-memory.dmpFilesize
8KB
-
memory/3180-147-0x0000000000000000-mapping.dmp
-
memory/3180-146-0x000001673BE54000-0x000001673BE55000-memory.dmpFilesize
4KB
-
memory/3220-209-0x0000000000000000-mapping.dmp
-
memory/3220-165-0x0000000000000000-mapping.dmp
-
memory/3424-183-0x0000000000000000-mapping.dmp
-
memory/3484-116-0x0000000000000000-mapping.dmp
-
memory/3484-119-0x0000025DD8280000-0x0000025DD8282000-memory.dmpFilesize
8KB
-
memory/3484-118-0x0000025DD8280000-0x0000025DD8282000-memory.dmpFilesize
8KB
-
memory/3584-186-0x0000000000000000-mapping.dmp
-
memory/3596-228-0x0000000005C60000-0x0000000005CF2000-memory.dmpFilesize
584KB
-
memory/3596-224-0x0000000000A10000-0x0000000000DFA000-memory.dmpFilesize
3.9MB
-
memory/3596-225-0x0000000000A10000-0x0000000000DFA000-memory.dmpFilesize
3.9MB
-
memory/3596-226-0x0000000006080000-0x000000000657E000-memory.dmpFilesize
5.0MB
-
memory/3596-219-0x0000000000000000-mapping.dmp
-
memory/3596-233-0x00000000039C0000-0x00000000039C1000-memory.dmpFilesize
4KB
-
memory/3596-234-0x0000000005C20000-0x0000000005C2A000-memory.dmpFilesize
40KB
-
memory/3804-223-0x0000000000000000-mapping.dmp
-
memory/3804-230-0x0000000000F40000-0x0000000000F4A000-memory.dmpFilesize
40KB
-
memory/3804-232-0x0000000000F40000-0x0000000000F4A000-memory.dmpFilesize
40KB
-
memory/3964-204-0x0000000000000000-mapping.dmp
-
memory/3980-160-0x0000000000000000-mapping.dmp
-
memory/4092-217-0x0000000000000000-mapping.dmp