xloader | 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74

Target

10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
Size

592KB
MD5

f8e05f051c4151136ab7da1002e4c915
SHA1

23bd18eee8c7cdc3fe21ecb778af9a89e855b71e
SHA256

10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74
SHA512

427a04103a5fbede6f2ebe2e5e82a5fc4790b5108ac9bb165f96cc04871d655ca12a92d2bbaea13491a56e76122aa0412595613560e392fa1a7365c81e829463

Score

10^/10

xloader pnug loader rat spyware stealer

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pnug

Decoy

natureate.com

ita-pots.website

sucohansmushroom.com

produrielrosen.com

gosystemupdatenow.online

jiskra.art

janwiench.com

norfolkfoodhall.com

iloveaddictss.com

pogozip.com

buyinstapva.com

teardirectionfreedom.xyz

0205168.com

apaixonadosporpugs.online

jawscoinc.com

crafter.quest

wikipedianow.com

radiopuls.net

kendama-co.com

goodstudycanada.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2692-125-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2692-126-0x000000000041D400-mapping.dmp	xloader

Executes dropped EXE 4 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

pid process

1892 software_reporter_tool.exe
5048 software_reporter_tool.exe
4112 software_reporter_tool.exe
4144 software_reporter_tool.exe

pid	process
1892	software_reporter_tool.exe
5048	software_reporter_tool.exe
4112	software_reporter_tool.exe
4144	software_reporter_tool.exe

Loads dropped DLL 10 IoCs

Processes:

helper.exesoftware_reporter_tool.exe

pid	process
4344	helper.exe
4344	helper.exe
4344	helper.exe
4112	software_reporter_tool.exe
4112	software_reporter_tool.exe
4112	software_reporter_tool.exe
4112	software_reporter_tool.exe
4112	software_reporter_tool.exe
4112	software_reporter_tool.exe
4112	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe

description	pid	process	target process
PID 684 set thread context of 2692	684	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe

Drops file in Windows directory 8 IoCs

Processes:

taskmgr.exeSystemSettings.exetaskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\1601268389\1361672858.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\2717123927\1253081315.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\2717123927\1253081315.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3060194815\1650753000.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\4183903823\97717462.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\1361672858.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\97717462.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SystemSettings.exetaskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exetaskmgr.exefirefox.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "345877911"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "375759552"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce00000000020000000000106600000001000020000000205ec9c45823aae128443c13a8b8e7a150889d383a86d9f932adb8b89df45937000000000e80000000020000200000008335ab3128974cf89d5fae2758c4f5b07bf900e88e15eedce56f11c9f68eecfc20000000ce33d7db798dedf109e8f65aef75987a524f53abbcff4ad56502a27fe5ea61af40000000421e28514a0100ecc98f6e9b65902115d55072653d29646f98ce60f8a35a0045a0d88432c7d4b9ab11e22b270983983142c0a0dc344c2a1e4d5e496b6ad8dea5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{40381F0C-5977-11EC-876A-4E9FE619D025} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30928260"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8053901e84edd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "641213999"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce00000000020000000000106600000001000020000000e1ea8e3d4f5bb9cfd6e20513936492b81c0be97f0c854f9e33eeecd3631f1516000000000e8000000002000020000000318a5b7059f96deef1fbb03b724ab2063a448b22e4a19e556fe520c4ca428339200000001be6586c8177bdf4f0862a525a900096b4b42ee3fd7d92d0b092a6cd3c2383bd40000000b896d823d53d4a78b6fac2571fbf10eec5a571cc42d05421f5a03441f85117a20cd6aa2995d2d22c9d839ba53932dc63e42e3af91fd1683218e96afd1b98db7f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30928260"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "420134591"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e000391d84edd701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://free4pc.org/bandicam-crack/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce000000000200000000001066000000010000200000004c1013ed4541adf1f6fa4efb3c83f726fedd64a346f8fe84b141c012135381cb000000000e80000000020000200000000ef18c0ba74b7f794898f1eb43980b7ca5d8a483fc7b7b5dde30f7767d2d8d7e20000000010723bbf23a798d58590e304e7afbfaac8cc9d40c25ae2c60d9d8c8223e47c84000000069b4d607b363b643b800fc52ead137669f4dfaf804fb024461f74c6fb4027cdcce6fe1939c03a4f9013fe5869d8a3611e52de028ac6b8064c77a8122245b9e37	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30928260"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "345894522"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f095510f84edd701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30928260"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "377165979"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe

Modifies registry class 3 IoCs

Processes:

taskmgr.exefirefox.exeSystemSettings.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	SystemSettings.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\RAR_Password_Recovery_Magic_v6_keygen_by_KeyGenGuru.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe

pid	process
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
684	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
684	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
2692	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
2692	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid process

2468 taskmgr.exe
1076 taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

chrome.exe

pid	process
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

taskmgr.exe10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exehelper.exeSystemSettings.exefirefox.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exeAUDIODG.EXEtaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2468	taskmgr.exe
Token: SeSystemProfilePrivilege	2468	taskmgr.exe
Token: SeCreateGlobalPrivilege	2468	taskmgr.exe
Token: SeDebugPrivilege	684	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
Token: SeDebugPrivilege	4344	helper.exe
Token: SeDebugPrivilege	4344	helper.exe
Token: SeShutdownPrivilege	4520	SystemSettings.exe
Token: SeCreatePagefilePrivilege	4520	SystemSettings.exe
Token: SeShutdownPrivilege	4520	SystemSettings.exe
Token: SeCreatePagefilePrivilege	4520	SystemSettings.exe
Token: SeDebugPrivilege	1304	firefox.exe
Token: SeDebugPrivilege	1304	firefox.exe
Token: 33	5048	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5048	software_reporter_tool.exe
Token: 33	1892	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1892	software_reporter_tool.exe
Token: 33	4112	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4112	software_reporter_tool.exe
Token: 33	4144	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4144	software_reporter_tool.exe
Token: SeDebugPrivilege	1304	firefox.exe
Token: SeDebugPrivilege	1304	firefox.exe
Token: SeDebugPrivilege	1304	firefox.exe
Token: 33	448	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	448	AUDIODG.EXE
Token: 33	2468	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2468	taskmgr.exe
Token: SeDebugPrivilege	1304	firefox.exe
Token: SeDebugPrivilege	1304	firefox.exe
Token: SeDebugPrivilege	1076	taskmgr.exe
Token: SeSystemProfilePrivilege	1076	taskmgr.exe
Token: SeCreateGlobalPrivilege	1076	taskmgr.exe
Token: SeDebugPrivilege	1304	firefox.exe
Token: SeDebugPrivilege	1304	firefox.exe
Token: SeDebugPrivilege	1304	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe
2468	taskmgr.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

firefox.exeSystemSettings.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1304	firefox.exe
4520	SystemSettings.exe
1304	firefox.exe
1304	firefox.exe
1304	firefox.exe
1304	firefox.exe
1304	firefox.exe
1304	firefox.exe
1304	firefox.exe
1304	firefox.exe
1304	firefox.exe
4668	iexplore.exe
4668	iexplore.exe
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
4668	iexplore.exe
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
3672	IEXPLORE.EXE
3672	IEXPLORE.EXE
3672	IEXPLORE.EXE
3672	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exechrome.exe

description	pid	process	target process
PID 684 wrote to memory of 388	684	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
PID 684 wrote to memory of 388	684	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
PID 684 wrote to memory of 388	684	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
PID 684 wrote to memory of 2692	684	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
PID 684 wrote to memory of 2692	684	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
PID 684 wrote to memory of 2692	684	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
PID 684 wrote to memory of 2692	684	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
PID 684 wrote to memory of 2692	684	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
PID 684 wrote to memory of 2692	684	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe	10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
PID 3796 wrote to memory of 3532	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 3532	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 1760	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 3236	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 3236	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2168	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2168	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2168	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2168	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2168	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2168	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2168	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2168	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2168	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2168	3796	chrome.exe	chrome.exe
PID 3796 wrote to memory of 2168	3796	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
"C:\Users\Admin\AppData\Local\Temp\10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Local\Temp\10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
"C:\Users\Admin\AppData\Local\Temp\10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe"
2⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
"C:\Users\Admin\AppData\Local\Temp\10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\RemoveDisconnect.bat"
1⤵
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:3796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffcd6164f50,0x7ffcd6164f60,0x7ffcd6164f70
2⤵
PID:3532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1516 /prefetch:2
2⤵
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1752 /prefetch:8
2⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 /prefetch:8
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1
2⤵
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
2⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
2⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4332 /prefetch:8
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4472 /prefetch:8
2⤵
PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4452 /prefetch:8
2⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
PID:1152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4392 /prefetch:8
2⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:8
2⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4408 /prefetch:8
2⤵
PID:3108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8
2⤵
PID:4016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5012 /prefetch:8
2⤵
PID:3480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:8
2⤵
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:8
2⤵
PID:3144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4812 /prefetch:8
2⤵
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5316 /prefetch:8
2⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
2⤵
PID:216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
2⤵
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
2⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
2⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
2⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
2⤵
PID:1580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
2⤵
PID:160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
2⤵
PID:2724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1444 /prefetch:8
2⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2156 /prefetch:8
2⤵
PID:4160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2628 /prefetch:8
2⤵
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2024 /prefetch:8
2⤵
PID:4724

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=4nz7J9UfgRBTfldRNzoqvhUlE2O7Xb5V6Pnqr/Xh --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1892

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=96.276.200 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff68e0af510,0x7ff68e0af520,0x7ff68e0af530
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5048

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_1892_LGUMYDVJUXCNIILA" --sandboxed-process-id=2 --init-done-notifier=720 --sandbox-mojo-pipe-token=17612118529343233467 --mojo-platform-channel-handle=696 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4112

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_1892_LGUMYDVJUXCNIILA" --sandboxed-process-id=3 --init-done-notifier=928 --sandbox-mojo-pipe-token=5683736848350324926 --mojo-platform-channel-handle=924
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1412 /prefetch:8
2⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4940 /prefetch:8
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5492 /prefetch:8
2⤵
PID:1684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
2⤵
PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4928 /prefetch:2
2⤵
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,14934132590812624430,1300530806783161573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
2⤵
PID:2424

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3136

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1304.0.451916914\95515521" -parentBuildID 20200403170909 -prefsHandle 1544 -prefMapHandle 1536 -prefsLen 1 -prefMapSize 219808 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1304 "\\.\pipe\gecko-crash-server-pipe.1304" 1624 gpu
3⤵
PID:2012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1304.3.342535829\2018745059" -childID 1 -isForBrowser -prefsHandle 2272 -prefMapHandle 2268 -prefsLen 122 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1304 "\\.\pipe\gecko-crash-server-pipe.1304" 2236 tab
3⤵
PID:3196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1304.13.1209102865\1316559797" -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 3420 -prefsLen 6979 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1304 "\\.\pipe\gecko-crash-server-pipe.1304" 3440 tab
3⤵
PID:2932

C:\Program Files\Mozilla Firefox\uninstall\helper.exe
"C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppUser
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1304.20.1771177839\1076632536" -childID 3 -isForBrowser -prefsHandle 3824 -prefMapHandle 4908 -prefsLen 8010 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1304 "\\.\pipe\gecko-crash-server-pipe.1304" 3812 tab
3⤵
PID:4892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1304.27.267848660\854513339" -childID 4 -isForBrowser -prefsHandle 4044 -prefMapHandle 4040 -prefsLen 9128 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1304 "\\.\pipe\gecko-crash-server-pipe.1304" 4420 tab
3⤵
PID:1452

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4520

C:\Users\Admin\Desktop\RAR_Password_Recovery_Magic_v6_keygen_by_KeyGenGuru.exe
"C:\Users\Admin\Desktop\RAR_Password_Recovery_Magic_v6_keygen_by_KeyGenGuru.exe"
1⤵
PID:700

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x41c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3784

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4152

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:4204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4668 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2544

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4668 CREDAT:148484 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3672

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe
MD5
75ea9cd845ff0a9b46043972dfed4368

SHA1
e672a812c729a88c94d4a43dfecbdffb12337fc9

SHA256
40aa60810b802c5d68c3c105414fed22ad7481c34eed213fec4da5d59a125673

SHA512
b58d83663c0bfcd916e25f17215892f80d3511e4905c7348a45be3cdc80557c83ba6f2d1933a1db8f1d369d4cd02d2066cafb2d48c9a538054ce6d5fff97cdba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe
MD5
75ea9cd845ff0a9b46043972dfed4368

SHA1
e672a812c729a88c94d4a43dfecbdffb12337fc9

SHA256
40aa60810b802c5d68c3c105414fed22ad7481c34eed213fec4da5d59a125673

SHA512
b58d83663c0bfcd916e25f17215892f80d3511e4905c7348a45be3cdc80557c83ba6f2d1933a1db8f1d369d4cd02d2066cafb2d48c9a538054ce6d5fff97cdba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe
MD5
75ea9cd845ff0a9b46043972dfed4368

SHA1
e672a812c729a88c94d4a43dfecbdffb12337fc9

SHA256
40aa60810b802c5d68c3c105414fed22ad7481c34eed213fec4da5d59a125673

SHA512
b58d83663c0bfcd916e25f17215892f80d3511e4905c7348a45be3cdc80557c83ba6f2d1933a1db8f1d369d4cd02d2066cafb2d48c9a538054ce6d5fff97cdba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe
MD5
75ea9cd845ff0a9b46043972dfed4368

SHA1
e672a812c729a88c94d4a43dfecbdffb12337fc9

SHA256
40aa60810b802c5d68c3c105414fed22ad7481c34eed213fec4da5d59a125673

SHA512
b58d83663c0bfcd916e25f17215892f80d3511e4905c7348a45be3cdc80557c83ba6f2d1933a1db8f1d369d4cd02d2066cafb2d48c9a538054ce6d5fff97cdba

Download Submit
C:\Users\Admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.log
MD5
b0b933dc8f6601a1e107b5915212fd91

SHA1
cd35835a4fac1ee9693e8cd5921fc2e48fb70871

SHA256
177c5ae978fbc8751eec24e85e0a8715e15207164febf750cedda4078040df6a

SHA512
6a873c7e5ae57dbfa56327d899818390b429d6a51c1f6a28abfcb0dc4af688d68dcc64cccdf6e7d69620d4902d4ec8c8e2009fbedb778fc8972c0637db34b2e2

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
MD5
c4fcecf5bd8dad5644fd174dd72c417a

SHA1
6753f348bb85eca7887b69008b533cc49250aa07

SHA256
ce0876e30a4d0b8d7f2c0717b323aa68f57891c420b85ac5dd65a96b7506de05

SHA512
aaea8f340653a81bf395f91eab0a122669e060118fb4db6e82a328845435bc9d6b91a374c53fe4d5ee15fe53bd34f0338ebb7bb96e1af534741f100d7d40bf00

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
MD5
c4fcecf5bd8dad5644fd174dd72c417a

SHA1
6753f348bb85eca7887b69008b533cc49250aa07

SHA256
ce0876e30a4d0b8d7f2c0717b323aa68f57891c420b85ac5dd65a96b7506de05

SHA512
aaea8f340653a81bf395f91eab0a122669e060118fb4db6e82a328845435bc9d6b91a374c53fe4d5ee15fe53bd34f0338ebb7bb96e1af534741f100d7d40bf00

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em000_64.dll
MD5
d0cf72186dbaea05c5a5bf6594225fc3

SHA1
0e69efd78dc1124122dd8b752be92cb1cbc067a1

SHA256
225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907

SHA512
8122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em001_64.dll
MD5
7adcb76ec34d774d1435b477e8625c47

SHA1
ec4ba0ad028c45489608c6822f3cabb683a07064

SHA256
a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d

SHA512
c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em002_64.dll
MD5
8398e65877faf2f60a611aed37c7d638

SHA1
b21222cda1590ead5e07f9253ac08ea4796a0031

SHA256
f8ae1f73552c0881660fc4c1c6690a73097e535f6b93b3d9d263c03fe309183f

SHA512
3ac54c58bab7a78164e2f536d02349ba36c83e904807a20889f0203de29ae217e4d7a12e4be40bf37f5757a329753475e30ebe720791afdc8f84251f5f159767

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em003_64.dll
MD5
3c4af468709f2d586ab4c2819633616c

SHA1
965fb6969acadcec77cc9918153b01f56fc209cd

SHA256
16bc60d0297ffff802d1b270bca8fded4339ac2f255f50e2a632dffbf369a6c8

SHA512
ef2808b02700dc70ecaed4aed3056b196ae38028c9caebace88da058b51c81b264343d045be76cd592737117c1cb1ab6d5291fb344783213f34609ce7ea6970a

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em004_64.dll
MD5
68258a5cff71fdaf66bc1ef5da5ac004

SHA1
aed0bd7481c36175b3f8267caeab0b3c0fc06520

SHA256
9737130b8f090a39e27dd71685315dc5e7c1b6b8a251ac0b9788871d574d7710

SHA512
6c4ca70593f83703db1cfb2f24465939a27e771e1e465dee27baf04b202e42653f26ed8713092fabc5b2f82394644295a597c5cb38a1db49eb1a7f0a7f67d8c6

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em005_64.dll
MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe
MD5
75ea9cd845ff0a9b46043972dfed4368

SHA1
e672a812c729a88c94d4a43dfecbdffb12337fc9

SHA256
40aa60810b802c5d68c3c105414fed22ad7481c34eed213fec4da5d59a125673

SHA512
b58d83663c0bfcd916e25f17215892f80d3511e4905c7348a45be3cdc80557c83ba6f2d1933a1db8f1d369d4cd02d2066cafb2d48c9a538054ce6d5fff97cdba

Download Submit
\??\pipe\chrome.1304.10.168873157
MD5
34fac6cfaac4069c2e3948ff74c41807

SHA1
52f7f8086f8d92455c53c559fc93363604464a55

SHA256
aacc95b172781581196173be776f26b83d5a7d7bb5007fb6d683bda4b9d0675b

SHA512
21351609f17c2abfae47dbc09bf97f8eaf07be7ee80a0cf635091ba78fb6d0def8b2cc18348156b3b18bcdb5703198c79ba40597863e0a6c4c5f626c7778e18f

Download Submit
\??\pipe\crashpad_1892_LGUMYDVJUXCNIILA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_3796_CKEZQYWQTODUHKJZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\edls_64.dll
MD5
e9a7c44d7bda10b5b7a132d46fcdaf35

SHA1
5217179f094c45ba660777cfa25c7eb00b5c8202

SHA256
35351366369a7774f9f30f38dc8aa3cd5e087acd8eae79e80c24526cd40e95a1

SHA512
e76308eee65bf0bf31e58d754e07b63092a4109ef3d44df7b746da99d44be6112bc5f970123c4e82523b6d301392e09c2cfc490e304550b42d152cdb0757e774

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em000_64.dll
MD5
d0cf72186dbaea05c5a5bf6594225fc3

SHA1
0e69efd78dc1124122dd8b752be92cb1cbc067a1

SHA256
225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907

SHA512
8122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em001_64.dll
MD5
7adcb76ec34d774d1435b477e8625c47

SHA1
ec4ba0ad028c45489608c6822f3cabb683a07064

SHA256
a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d

SHA512
c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em002_64.dll
MD5
8398e65877faf2f60a611aed37c7d638

SHA1
b21222cda1590ead5e07f9253ac08ea4796a0031

SHA256
f8ae1f73552c0881660fc4c1c6690a73097e535f6b93b3d9d263c03fe309183f

SHA512
3ac54c58bab7a78164e2f536d02349ba36c83e904807a20889f0203de29ae217e4d7a12e4be40bf37f5757a329753475e30ebe720791afdc8f84251f5f159767

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em003_64.dll
MD5
3c4af468709f2d586ab4c2819633616c

SHA1
965fb6969acadcec77cc9918153b01f56fc209cd

SHA256
16bc60d0297ffff802d1b270bca8fded4339ac2f255f50e2a632dffbf369a6c8

SHA512
ef2808b02700dc70ecaed4aed3056b196ae38028c9caebace88da058b51c81b264343d045be76cd592737117c1cb1ab6d5291fb344783213f34609ce7ea6970a

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em004_64.dll
MD5
68258a5cff71fdaf66bc1ef5da5ac004

SHA1
aed0bd7481c36175b3f8267caeab0b3c0fc06520

SHA256
9737130b8f090a39e27dd71685315dc5e7c1b6b8a251ac0b9788871d574d7710

SHA512
6c4ca70593f83703db1cfb2f24465939a27e771e1e465dee27baf04b202e42653f26ed8713092fabc5b2f82394644295a597c5cb38a1db49eb1a7f0a7f67d8c6

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em005_64.dll
MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
\Users\Admin\AppData\Local\Temp\nsc27F.tmp\CityHash.dll
MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nsc27F.tmp\CityHash.dll
MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nsc27F.tmp\System.dll
MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
memory/448-183-0x0000023FB02D0000-0x0000023FB02D2000-memory.dmp

Filesize
8KB

Download
memory/448-184-0x0000023FB02D0000-0x0000023FB02D2000-memory.dmp

Filesize
8KB

Download
memory/684-116-0x00000000007B0000-0x000000000084A000-memory.dmp

Filesize
616KB

Download
memory/684-121-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/684-115-0x00000000007B0000-0x000000000084A000-memory.dmp

Filesize
616KB

Download
memory/684-119-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/684-122-0x0000000008790000-0x00000000087DB000-memory.dmp

Filesize
300KB

Download
memory/684-117-0x0000000005670000-0x0000000005B6E000-memory.dmp

Filesize
5.0MB

Download
memory/684-118-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/684-123-0x00000000087E0000-0x000000000887C000-memory.dmp

Filesize
624KB

Download
memory/684-124-0x00000000088E0000-0x0000000008940000-memory.dmp

Filesize
384KB

Download
memory/684-120-0x00000000051D0000-0x00000000051DA000-memory.dmp

Filesize
40KB

Download
memory/700-181-0x0000000005AD0000-0x0000000005B26000-memory.dmp

Filesize
344KB

Download
memory/700-185-0x0000000003313000-0x0000000003315000-memory.dmp

Filesize
8KB

Download
memory/700-178-0x0000000005E10000-0x000000000630E000-memory.dmp

Filesize
5.0MB

Download
memory/700-177-0x0000000005870000-0x000000000590C000-memory.dmp

Filesize
624KB

Download
memory/700-176-0x0000000000F10000-0x0000000000FAE000-memory.dmp

Filesize
632KB

Download
memory/700-180-0x00000000057C0000-0x00000000057CA000-memory.dmp

Filesize
40KB

Download
memory/700-175-0x0000000000F10000-0x0000000000FAE000-memory.dmp

Filesize
632KB

Download
memory/700-179-0x0000000005910000-0x00000000059A2000-memory.dmp

Filesize
584KB

Download
memory/700-182-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/1892-137-0x0000027CF4A40000-0x0000027CF4A42000-memory.dmp

Filesize
8KB

Download
memory/1892-135-0x0000000000000000-mapping.dmp

Download
memory/1892-138-0x0000027CF4A40000-0x0000027CF4A42000-memory.dmp

Filesize
8KB

Download
memory/2544-211-0x0000000000000000-mapping.dmp

Download
memory/2692-126-0x000000000041D400-mapping.dmp

Download
memory/2692-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-127-0x0000000000F90000-0x00000000012B0000-memory.dmp

Filesize
3.1MB

Download
memory/3672-256-0x0000000000000000-mapping.dmp

Download
memory/4112-151-0x00007FFCEEAF0000-0x00007FFCEEAF1000-memory.dmp

Filesize
4KB

Download
memory/4112-146-0x0000000000000000-mapping.dmp

Download
memory/4112-149-0x0000029A800E0000-0x0000029A800E2000-memory.dmp

Filesize
8KB

Download
memory/4112-145-0x0000029A897BF000-0x0000029A897C0000-memory.dmp

Filesize
4KB

Download
memory/4112-148-0x0000029A800E0000-0x0000029A800E2000-memory.dmp

Filesize
8KB

Download
memory/4112-150-0x00007FFCEEE10000-0x00007FFCEEE11000-memory.dmp

Filesize
4KB

Download
memory/4144-167-0x0000000000000000-mapping.dmp

Download
memory/4144-170-0x0000026ABD480000-0x0000026ABD482000-memory.dmp

Filesize
8KB

Download
memory/4144-166-0x0000026ABD4F0000-0x0000026ABD4F1000-memory.dmp

Filesize
4KB

Download
memory/4144-169-0x0000026ABD480000-0x0000026ABD482000-memory.dmp

Filesize
8KB

Download
memory/4344-134-0x0000000000770000-0x000000000077F000-memory.dmp

Filesize
60KB

Download
memory/4344-130-0x0000000000000000-mapping.dmp

Download
memory/4668-192-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-207-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-187-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-188-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-190-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-191-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-193-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-228-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-194-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-195-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-196-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-198-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-199-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-200-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-202-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-204-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-205-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-186-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-206-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-208-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-209-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-227-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-212-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-213-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-215-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-216-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-218-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-220-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-221-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-222-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/4668-226-0x00007FFCD4880000-0x00007FFCD48EB000-memory.dmp

Filesize
428KB

Download
memory/5048-141-0x00000287A22A0000-0x00000287A22A2000-memory.dmp

Filesize
8KB

Download
memory/5048-142-0x00000287A22A0000-0x00000287A22A2000-memory.dmp

Filesize
8KB

Download
memory/5048-139-0x0000000000000000-mapping.dmp

Download