plugx | 58e384317b41f84dc77b45b5d99bd87aeaca9940bbf242d59db344d43b5de341

Analysis

max time kernel
583s
max time network
601s
platform
windows10_x64
resource
win10-20220310-en
submitted
29-03-2022 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

how-do-i-turn-off-private-network-in-windows-10.html
Size

82KB
MD5

27105d46c27a8d1f10c708b8891a639a
SHA1

7722e5ef87eb2cccb044b274551ad635d85b4c97
SHA256

58e384317b41f84dc77b45b5d99bd87aeaca9940bbf242d59db344d43b5de341
SHA512

78ca9dbc9197ed4170c710b4bb3a646cdaba57844df6c77b2ab19a6a2fa1890cd257d7fc77dce76eee0c6aba9307f39921df888d8ed562072cd8308c12b46e10

Score

10^/10

plugx discovery spyware stealer trojan

Malware Config

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

PlugX Rat Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe	PlugX
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe	PlugX
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe	PlugX

Executes dropped EXE 4 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

pid process

5084 software_reporter_tool.exe
3884 software_reporter_tool.exe
4776 software_reporter_tool.exe
4112 software_reporter_tool.exe

pid	process
5084	software_reporter_tool.exe
3884	software_reporter_tool.exe
4776	software_reporter_tool.exe
4112	software_reporter_tool.exe

Loads dropped DLL 7 IoCs

Processes:

software_reporter_tool.exe

pid	process
4776	software_reporter_tool.exe
4776	software_reporter_tool.exe
4776	software_reporter_tool.exe
4776	software_reporter_tool.exe
4776	software_reporter_tool.exe
4776	software_reporter_tool.exe
4776	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "355386355"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2304721932"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30950285"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cc97f1ca6a559947bd54ec05e06c369200000000020000000000106600000001000020000000deb900263d6c7aa9adb67926dfc9c509e23bd6791b9a456fc2433dad5d940089000000000e8000000002000020000000f821fb0f656f5dcd6c967010c2ab07b6f5ea475f9e8bb5567f9991944696157620000000ec63dcd4b7f125b376bfa6d7450a0539901db281cc42bf0d553c4d5223dbfe6140000000c196322b5866cb0a19b3bbcba89939871da9ba282a5dd203e35dd8dee34f5b8ffb5dd441f02fef555de0b13f954e0133b83d35288ff5d732f3343dcca52c41e1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "355337767"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "355354364"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cc97f1ca6a559947bd54ec05e06c369200000000020000000000106600000001000020000000b6a779289aeeb821fa695f696cd2eec9e3811f48c9c1779ec83647d611c839e9000000000e8000000002000020000000ec949b345b1245294bb3d2f723c83690cb9f59035594b7fca30f939524b7b835200000004458cd24597f63441a6fb377c10e365d6ef0d2386115985bdac4af0f77223adb40000000ea2d1baab9f514272f4c1e60907e4ed570f4c5eb94b622a7ad8106ee3bc839c94ec480b6d488fff7e72c13baa17545f794e59344ef704d2514a3c9053aa05c8c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 708347ab8d43d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2367717658"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30950285"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B461D521-AF80-11EC-AD4A-4A126F461292} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2304721932"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30950285"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-370654639-3807403165-1443644579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a02d54ab8d43d801	iexplore.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesoftware_reporter_tool.exe

pid	process
1336	chrome.exe
1336	chrome.exe
3360	chrome.exe
3360	chrome.exe
4580	chrome.exe
4580	chrome.exe
4760	chrome.exe
4760	chrome.exe
4288	chrome.exe
4288	chrome.exe
4168	chrome.exe
4168	chrome.exe
4944	chrome.exe
4944	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4484	chrome.exe
4484	chrome.exe
5084	software_reporter_tool.exe
5084	software_reporter_tool.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

chrome.exe

pid	process
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

description	pid	process
Token: 33	3884	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	3884	software_reporter_tool.exe
Token: 33	5084	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5084	software_reporter_tool.exe
Token: 33	4776	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4776	software_reporter_tool.exe
Token: 33	4112	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4112	software_reporter_tool.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

iexplore.exechrome.exe

pid	process
1896	iexplore.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe
3360	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1896 iexplore.exe
1896 iexplore.exe
2452 IEXPLORE.EXE
2452 IEXPLORE.EXE
2452 IEXPLORE.EXE
2452 IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 1896 wrote to memory of 2452	1896	iexplore.exe	IEXPLORE.EXE
PID 1896 wrote to memory of 2452	1896	iexplore.exe	IEXPLORE.EXE
PID 1896 wrote to memory of 2452	1896	iexplore.exe	IEXPLORE.EXE
PID 3360 wrote to memory of 3576	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 3576	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1308	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1336	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1336	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe
PID 3360 wrote to memory of 1440	3360	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\how-do-i-turn-off-private-network-in-windows-10.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd44944f50,0x7ffd44944f60,0x7ffd44944f70
2⤵
PID:3576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1748 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1504 /prefetch:2
2⤵
PID:1308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 /prefetch:8
2⤵
PID:1440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:1
2⤵
PID:820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1
2⤵
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
2⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4324 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:8
2⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:8
2⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1
2⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4424 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:8
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:8
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5480 /prefetch:8
2⤵
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4932 /prefetch:8
2⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5500 /prefetch:8
2⤵
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5592 /prefetch:8
2⤵
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3140 /prefetch:8
2⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3112 /prefetch:8
2⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2096 /prefetch:1
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3816 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1896 /prefetch:8
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3144 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
2⤵
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2096 /prefetch:1
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
2⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6140 /prefetch:8
2⤵
PID:3608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6092 /prefetch:8
2⤵
PID:2856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1448 /prefetch:8
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1448 /prefetch:8
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4840 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5928 /prefetch:8
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5896 /prefetch:8
2⤵
PID:5096

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=EyXZH/eeVpI/ng6nF9DJ8hxp21jNylt7gZAtR2c7 --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=99.279.200 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff64df725a0,0x7ff64df725b0,0x7ff64df725c0
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3884

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_5084_FBZBMLWXPJLEGKMZ" --sandboxed-process-id=2 --init-done-notifier=720 --sandbox-mojo-pipe-token=340990399036233838 --mojo-platform-channel-handle=696 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4776

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_5084_FBZBMLWXPJLEGKMZ" --sandboxed-process-id=3 --init-done-notifier=928 --sandbox-mojo-pipe-token=398154040258545563 --mojo-platform-channel-handle=924
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3680 /prefetch:8
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3124 /prefetch:8
2⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
2⤵
PID:4248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5432 /prefetch:8
2⤵
PID:4936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5976 /prefetch:8
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:8
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5960 /prefetch:8
2⤵
PID:920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2496 /prefetch:8
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,9224002471768451139,7873247637276963365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6040 /prefetch:8
2⤵
PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
69511a066a295d458a89e2b926a249f7

SHA1
83d582f87fa55d528af6d783763bb2502b377bdc

SHA256
855e73ab029929bcaeaead593218c4b481fa40bb108f07aa3634af903bbbcf06

SHA512
9c44dd911dc73fa456cde99fbaef62486c9f5c2c0ee3a2250813b60a7398ca60dad824c625e3af7553069880f2bcbaef91602acd6cb423509243248a0e4a2a37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
28402c7b5926dde005b08d39f5e75395

SHA1
85e085c8376ffb1a40ae33529c9fafebe81eb0b7

SHA256
c7df7b2e2635889c2c8c6611fc42669f4519fc97182e46e3be9f3a5e838e75ae

SHA512
b1487eec89948bf051c878fe7df9cd7f2f916901fa1bad0d3aa091771f504c0f21bc94786c6193dfbf1a248371b3cea5a65f4978f780f33959fbf9c05c74bbeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
6291523270b8d874c343bfd3f4ed25eb

SHA1
5a0872b4a026c43a94be044162a3c3dd980ddd2d

SHA256
7ba0600af5c794881f0abb1b30194b571237e20d7cbe8cdacba99a3a662e3570

SHA512
b82e29a87d143525eaa8a3313f9d7280ccd72430b5f91c2f475c5118c5eb5d8573e188c38d2b6689bb11723d7c0ec62c2b10be97a8a190c9b9ec002112d86364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_25C1C17E3D961AC8ED4EF9DAC6C8BB23
Filesize
472B

MD5
cd49db2cde3b3d687c7dc3a2239f42bc

SHA1
6e9e98a144403f207fbf2875482c9444dab3f620

SHA256
7e3d48cff108a3f2595d2defac1685219e6b747c2e8b54413a06f48b8132aa63

SHA512
855cd2713bdc497e9473b8689a80f4934a4c83b7cb78ec475544c57c5e01fcde0f7358c16e3eba2ea15f1405801f9190096bb93617034da18debbe6779f8069c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_DEA9E6EF835944EE4D67BEC1CABD1368
Filesize
471B

MD5
ad21d8a22bfc48de795d91501cc5a3e5

SHA1
c9f83b9049adc928eb87ce943ae7d24c271d247a

SHA256
301b1db4ad2040b0ef03b4edf7308057d12c355594d842ad81fa6a3b5dd0c15d

SHA512
4b45b6203e51aab9913fe685b6b95b18060aa7a66098db707332f34406de3cf60fcbc316ba96c1a893fe37e2a24ad20b4ac46d726a394f29862fa319efc1621f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
64e9b8bb98e2303717538ce259bec57d

SHA1
2b07bf8e0d831da42760c54feff484635009c172

SHA256
76bd459ec8e467efc3e3fb94cb21b9c77a2aa73c9d4c0f3faf823677be756331

SHA512
8980af4a87a009f1ae165182d1edd4ccbd12b40a5890de5dbaea4dbf3aeb86edffd58b088b1e35e12d6b1197cc0db658a9392283583b3cb24a516ebc1f736c56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0B6306FEB5C531C40CF59383F55F54B
Filesize
503B

MD5
c52343c39b9e1013ce5d940835b0abee

SHA1
0c5a6f54eb6aaf5df474a97a9a62151ba60a37b9

SHA256
b5ebb4b79abee3367572ae3f2ccfe966aa39eeb25197e3603db290b22852da00

SHA512
1d503c75db82deee997ce840944dee5b6842a8f78d929dad5964476e3b3f859559dc08ab2dde6ddb6a8f04c10e127c3fb3e6caa31f1addcb596b5c027cf9b2b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_82D13286062ABFE0B4624929618E84DE
Filesize
471B

MD5
844d6123395d76e3e5ff43a0d34198bf

SHA1
03ee1ae772d77a5875cff421214283d761afeb72

SHA256
fbd232a237dbf1be46681ec5b2bc8d3551165b8f1a2764a324dc56c5ae1941a6

SHA512
efca0dd878162aebdec0e1db2cf9b8775b52cb081253b1902e1c974085eaba1b44e6bd6e959ebdb69004a82de53f20d6fd308b840e183d990bdfdd977d3f0f2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
4b9c2c4a3110c8bba1433d9c0a179f8d

SHA1
d711a146dc5a7d742cde50fe795024914076901b

SHA256
3a5efa04ddbec6191cf9c0f9d85928ae333158ede4661d0ef9fc6a93db7bfa85

SHA512
353bfa2e8bff8ab65a421e8621146d6c8bda2eca9c493f78ef190a1f884e9ce347ab0add47051762915a95ce97fa2a8220e6d9f25c2aa0e361e634560965e976

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
840897f2a0ae71c490bc74c401e5b362

SHA1
bd7f8d67d0a8f62c22a7c22bfe152abf90caab53

SHA256
550e7583eebb6f33e2c1776b52f2319e1dc06e3db4bab5668900577e7f8e3beb

SHA512
68230e2dd4449a038d219b2d8e5637bf5c1bd21b1ad0cc80f7eb2eca9a1e9b04a4fa386a6cd5fb87cd9b509bc2049a87ef572da9a40c6daafade09aa1f3f3e59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
581dafc9c80c9a810f7d104c60cbf727

SHA1
3d0fe4fe3074ea666b0ab678d2cf58c4505547f3

SHA256
cb241edd683c4111a2838251ef85c2f06669bd490cb7c8ed7ce8e1007915a813

SHA512
6fd74d913b485c71c40624684673d0eba9f2317acc8bba1d839a0547c6a8a2f80a450f0ccbea50647c0ccd0d3b0b8851ab3d5e192312614f6ccf960d841a95c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
8107a58c4b6110e69d7e511b99e2c9d7

SHA1
0316d7863d09edbd9cec42856f6ebd74b3c03880

SHA256
42b1f5f7e4f86fe503d18608273c84428a6584f4c5485808b568c37e5cd3ca4e

SHA512
aa8554db28f9b8adae0d9314f3ef96fc4b43dbd03f13bb9d028ec72105386a8a582f1e0997e1cdda3253256015c76dc3d69f3fdecb6d751bd7e0c29374bfdb5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_25C1C17E3D961AC8ED4EF9DAC6C8BB23
Filesize
402B

MD5
e14df6fb7615c59f4d7cd344cbabe83f

SHA1
19e7c51c18347fce2f7d491f61ca2b2750ff51d7

SHA256
73a528c6b5466407e13d92c9caf8c579952ae13d67ef859d74438f8be02bd0cf

SHA512
540707c65634c0ac6602aaaa27891046a8fcc2b0eb7aa57a55039e0aae3f4c7ef093bcd1ca76145f1cff70ceb442d70ec7565772cf1d030b328d4b02748aab63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_DEA9E6EF835944EE4D67BEC1CABD1368
Filesize
410B

MD5
f0fb80eeb017a337b9ffff106b5b7f1f

SHA1
12f70b0a255c72e65f8dc4e256e14b0cba000f7a

SHA256
15fe24ea6aca2079726acca17ab18043aedd747a5d126b4557284e447cadf14c

SHA512
f2dcc3b021a62d35c72a093a67ff045dcf6c36b913bb22b038789ab553742f910e01ee5badec11c3e3cbb94f0fe0efb26f28a459232894334676be842caef6b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
635951e933ce74cfdd8b5385bb2fde4c

SHA1
35c148f109ee155e1445ffc7b7f3072aa615926b

SHA256
fb148e2012d89b42153ee23d4fe7248f0781f93f8b0b459d3ab15d5bb185cdc0

SHA512
8912d61b171b65e6acd557159d97d0c3ccc3700af26e4ad9796fff54e80a96ceb6d854b31424b9de7e03b6599e52acad8e98517e590ccf96b483eff40d2ac0b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0B6306FEB5C531C40CF59383F55F54B
Filesize
552B

MD5
ff03fcc3c95b688c3461d90a006a2980

SHA1
2064c2ce749f91c384d8c6a61ef705d8aa7cc806

SHA256
ca4507012892237b509f1f886a20530d53047bd8beb451b082fe9743f15a576e

SHA512
41563a8859469e8549ed77280e0000752a8ec6ac36e829a3d6e2c6163a50af5f4b3f013f0881c7603062e71b95c22792f4698fd929f2fc36a659fec8dbfc9105

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_82D13286062ABFE0B4624929618E84DE
Filesize
410B

MD5
52010e8bbad3cd19cc414c28fcf9025a

SHA1
5d3311084edd2ae87d74d5e2bd85aeb084e630f2

SHA256
dd6ba687e81fc20bd0fa4b7786387bd18ddc19e5ceaaef02a3f0dc4275c601a4

SHA512
47f705aafd3d1cc351e77fdc2394375306369b88eae0269204678b45d28217b10e807c416d067fad6799739fbb2eaa580e3031e339f711ca9176c8941b6a487b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe
Filesize
13.9MB

MD5
3dcd45838971b3e51d01e62c09d36e08

SHA1
9884fc2f1ed03043d5a6aa5f59625b7a0cad4c2a

SHA256
d7081c02c19718ed94ef3154ede0d045c50ba7d9e7653b7b5c589ac1a0b36f81

SHA512
6e2b5e3b75bd872bd01c6b8feaea76aea733f75320e4b88877ef1aae061d37ac0de82943502c2c575f67dcd77961bba506d5f16489bd33b8aa621e472fe648fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe
Filesize
13.9MB

MD5
3dcd45838971b3e51d01e62c09d36e08

SHA1
9884fc2f1ed03043d5a6aa5f59625b7a0cad4c2a

SHA256
d7081c02c19718ed94ef3154ede0d045c50ba7d9e7653b7b5c589ac1a0b36f81

SHA512
6e2b5e3b75bd872bd01c6b8feaea76aea733f75320e4b88877ef1aae061d37ac0de82943502c2c575f67dcd77961bba506d5f16489bd33b8aa621e472fe648fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe
Filesize
13.9MB

MD5
3dcd45838971b3e51d01e62c09d36e08

SHA1
9884fc2f1ed03043d5a6aa5f59625b7a0cad4c2a

SHA256
d7081c02c19718ed94ef3154ede0d045c50ba7d9e7653b7b5c589ac1a0b36f81

SHA512
6e2b5e3b75bd872bd01c6b8feaea76aea733f75320e4b88877ef1aae061d37ac0de82943502c2c575f67dcd77961bba506d5f16489bd33b8aa621e472fe648fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\YZUW48VS.cookie
Filesize
614B

MD5
cfb8f0ddee65d159eaaeecdc9be381aa

SHA1
84728eb96e4dd754d43a5e867b370ef71bb64167

SHA256
2866747bbb80d24fa55ec16e0888687c4cec70b05c787593701b314c8ee517ce

SHA512
8790e91d2748bf3a5454b657d02329730f2f432c1a6d8bc34142752a1d7d2aaf07bece2e7334edf4b086f73154dce828a27e46550617b51c3af9ce2414e8a8ef

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
Filesize
40B

MD5
8ae8686004857ca9f57ead5b49ad01ac

SHA1
503a52a2c3f9c8e3437fc38565968723d28b312c

SHA256
11e84f0554255621554efbcd4ce02db6d56b9b4b85fddf7f001b819cfe23a897

SHA512
6c27d4fc6cb177d385271156fb1a9dee9b420874860c1220045df6b4c68149ed755b67fe395e9b37a178ff70b21fe08ad6faa8f8b0b858a48c0c74722b3eb7b8

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
Filesize
40B

MD5
8ae8686004857ca9f57ead5b49ad01ac

SHA1
503a52a2c3f9c8e3437fc38565968723d28b312c

SHA256
11e84f0554255621554efbcd4ce02db6d56b9b4b85fddf7f001b819cfe23a897

SHA512
6c27d4fc6cb177d385271156fb1a9dee9b420874860c1220045df6b4c68149ed755b67fe395e9b37a178ff70b21fe08ad6faa8f8b0b858a48c0c74722b3eb7b8

Download Submit
\??\pipe\crashpad_3360_GEDBKEYPUMXNXFNG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\edls_64.dll
Filesize
446KB

MD5
e9a7c44d7bda10b5b7a132d46fcdaf35

SHA1
5217179f094c45ba660777cfa25c7eb00b5c8202

SHA256
35351366369a7774f9f30f38dc8aa3cd5e087acd8eae79e80c24526cd40e95a1

SHA512
e76308eee65bf0bf31e58d754e07b63092a4109ef3d44df7b746da99d44be6112bc5f970123c4e82523b6d301392e09c2cfc490e304550b42d152cdb0757e774

Download Submit
memory/3884-142-0x0000000000000000-mapping.dmp

Download
memory/4112-157-0x0000000000000000-mapping.dmp

Download
memory/4776-148-0x0000000000000000-mapping.dmp

Download
memory/4776-153-0x00007FFD5ED90000-0x00007FFD5ED91000-memory.dmp

Filesize
4KB

Download
memory/4776-152-0x00007FFD5E3D0000-0x00007FFD5E3D1000-memory.dmp

Filesize
4KB

Download
memory/4776-162-0x000001BB4E340000-0x000001BB4E380000-memory.dmp

Filesize
256KB

Download
memory/4776-163-0x000001BB4E340000-0x000001BB4E380000-memory.dmp

Filesize
256KB

Download
memory/4776-164-0x000001BB4E340000-0x000001BB4E380000-memory.dmp

Filesize
256KB

Download
memory/4776-165-0x000001BB4E340000-0x000001BB4E380000-memory.dmp

Filesize
256KB

Download
memory/5084-138-0x0000000000000000-mapping.dmp

Download