plugx | hxxp://news-spot[.]live/Reports/1/45/

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
21-03-2022 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://news-spot.live/Reports/1/45/

Score

10^/10

plugx spyware stealer trojan

Malware Config

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

PlugX Rat Payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000600000002242d-148.dat	PlugX
behavioral1/files/0x000600000002242d-149.dat	PlugX
behavioral1/files/0x000600000002242d-152.dat	PlugX
behavioral1/files/0x0006000000022437-161.dat	PlugX
behavioral1/files/0x0006000000022437-168.dat	PlugX
behavioral1/files/0x000600000002242d-170.dat	PlugX

Executes dropped EXE 4 IoCs

pid	Process
3764	software_reporter_tool.exe
5024	software_reporter_tool.exe
1472	software_reporter_tool.exe
2464	software_reporter_tool.exe

Loads dropped DLL 7 IoCs

pid	Process
1472	software_reporter_tool.exe
1472	software_reporter_tool.exe
1472	software_reporter_tool.exe
1472	software_reporter_tool.exe
1472	software_reporter_tool.exe
1472	software_reporter_tool.exe
1472	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Windows directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BIT7F2F.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BITDFF7.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BIT145.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\BITFD9B.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\BIT19F7.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\BIT4D50.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT4D71.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\f3535a3b47819a04c6d5ee18905493be086e801e	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BITE1BE.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\BITFCFD.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\BIT668.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BIT1E3.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT4CE2.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT795F.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BITFD6B.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\BIT724.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\Xbfe7KpvVnvJHxQ2cRDBmUlnoMnpDY=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\BITE4A.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\BIT1AB3.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BIT7A2B.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\LZOCjtiHKk8=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BITDF1B.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\612ad442b8740f4c57b8c84e6bf465ba4699118c	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\d9f2a302574bf135efc9dbd1a8083a336f7f52f0	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\BIT1012.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\BIT5012.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\fDFnweOZvFE=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\BIT5090.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT7F7E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\a3f602ea4d534d006919a2613d91f9506b383314	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT929A.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT9666.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\F2WKV54ysEMEW9U+EfiUeJcNcgfNL4pMC5NmE0a3mAg=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BITE700.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\BITDBD.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\e1a85885fd4453165061351651289cce8f8590c4	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\daNJ9YVgpN191GzoPynRDpTEDO9uUytOK6Ln7xcN8To=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT7B35.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT9337.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BITE633.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\c3ca3df6b0660cc02fa0c60992eb1164c186b223	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT5776.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BITD749.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BITFC40.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\6e15245aed25ee83b027521f9cf9ea812c9d016d	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\2cd32031792245e69c7777193005916861cbbe94	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\BIT4C35.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT7E63.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BITF1CF.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT5813.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT95A9.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BITF161.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\fbaaae7103d0f0a1303a40d280aa18bafcd08dcf	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\Cmn5TH6S2lFFnfMN8MLr2EoNUIAGzQo2UUjHGMEC99A=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\BITF65.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\v9GXr9MSfUt92b0dEpOsHH2H0TwcnvKmtIW8g3ovM=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\5ondRmJ90JlkPETuN535TWk=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\9+dL4Puh6FM8puPxsBEX86BMeGqpuC0b7gf2fD9DLLo=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\af66e12c1bb9d8519da21259d0fcd88c247cb4f1	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BITD815.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BITE065.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\FTTOLXxEZk0li+ZNE2Uo=	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2992	chrome.exe
2992	chrome.exe
1176	chrome.exe
1176	chrome.exe
4720	chrome.exe
4720	chrome.exe
5060	chrome.exe
5060	chrome.exe
4500	chrome.exe
4500	chrome.exe
4460	chrome.exe
4460	chrome.exe
4516	chrome.exe
4516	chrome.exe
3764	software_reporter_tool.exe
3764	software_reporter_tool.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	5024	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5024	software_reporter_tool.exe
Token: 33	3764	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	3764	software_reporter_tool.exe
Token: 33	1472	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1472	software_reporter_tool.exe
Token: 33	2464	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2464	software_reporter_tool.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2364	1176	chrome.exe	83
PID 1176 wrote to memory of 2364	1176	chrome.exe	83
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 752	1176	chrome.exe	87
PID 1176 wrote to memory of 2992	1176	chrome.exe	89
PID 1176 wrote to memory of 2992	1176	chrome.exe	89
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90
PID 1176 wrote to memory of 4156	1176	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://news-spot.live/Reports/1/45/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9608b4f50,0x7ff9608b4f60,0x7ff9608b4f70
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1592 /prefetch:2
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1932 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 /prefetch:8
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4628 /prefetch:8
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 /prefetch:8
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:2392
- C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe
  "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=L0kR7NLC1FpWHBZA6SMUNVCl1xe2H0P3mUKgGCYx --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=99.279.200 --initial-client-data=0x284,0x288,0x28c,0x24c,0x290,0x7ff6dbcc25a0,0x7ff6dbcc25b0,0x7ff6dbcc25c0
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3764_EYYUJHCMANMXHPPC" --sandboxed-process-id=2 --init-done-notifier=768 --sandbox-mojo-pipe-token=1607388765666632415 --mojo-platform-channel-handle=744 --engine=2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3764_EYYUJHCMANMXHPPC" --sandboxed-process-id=3 --init-done-notifier=996 --sandbox-mojo-pipe-token=13670843864354820705 --mojo-platform-channel-handle=992
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,8918360553623648896,13242685653287464649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2032 /prefetch:8
  2⤵
  PID:2672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1472-153-0x00007FF97E4D0000-0x00007FF97E4D1000-memory.dmp

Filesize
4KB

Download
memory/1472-154-0x00007FF97D590000-0x00007FF97D591000-memory.dmp

Filesize
4KB

Download
memory/1760-145-0x0000028F06C20000-0x0000028F06C24000-memory.dmp

Filesize
16KB

Download
memory/1760-143-0x0000028F06C20000-0x0000028F06C24000-memory.dmp

Filesize
16KB

Download
memory/1760-142-0x0000028F069E0000-0x0000028F069E4000-memory.dmp

Filesize
16KB

Download
memory/1760-141-0x0000028F069E0000-0x0000028F069E4000-memory.dmp

Filesize
16KB

Download
memory/1760-139-0x0000028F06900000-0x0000028F06904000-memory.dmp

Filesize
16KB

Download
memory/1760-138-0x0000028F06900000-0x0000028F06904000-memory.dmp

Filesize
16KB

Download
memory/1760-137-0x0000028F06560000-0x0000028F06564000-memory.dmp

Filesize
16KB

Download
memory/1760-136-0x0000028F04180000-0x0000028F04190000-memory.dmp

Filesize
64KB

Download
memory/1760-135-0x0000028F03F60000-0x0000028F03F70000-memory.dmp

Filesize
64KB

Download