hxxps://143894913[.]coreaquatech[.]com/905100119/aHR0cHM6Ly9lbnF1aXJlLWFzay5vbmxpbmUvP2VtYWlsPXRrZWVsZXJAbWF5ZXJicm93bi5jb20=

Resubmissions

08-08-2022 19:45

220808-ygp63sfcck 10

08-08-2022 19:37

220808-ybtbjsfbdn 10

08-08-2022 19:31

220808-x8wx9sfbaj 10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220722-en
resource tags

arch:x64arch:x86image:win10-20220722-enlocale:en-usos:windows10-1703-x64system
submitted
08-08-2022 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://143894913.coreaquatech.com/905100119/aHR0cHM6Ly9lbnF1aXJlLWFzay5vbmxpbmUvP2VtYWlsPXRrZWVsZXJAbWF5ZXJicm93bi5jb20=

Score

10^/10

microsoft phishing product:outlook spyware stealer

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 4 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

pid process

2312 software_reporter_tool.exe
4580 software_reporter_tool.exe
3824 software_reporter_tool.exe
2396 software_reporter_tool.exe

pid	process
2312	software_reporter_tool.exe
4580	software_reporter_tool.exe
3824	software_reporter_tool.exe
2396	software_reporter_tool.exe

Loads dropped DLL 7 IoCs

Processes:

software_reporter_tool.exe

pid	process
3824	software_reporter_tool.exe
3824	software_reporter_tool.exe
3824	software_reporter_tool.exe
3824	software_reporter_tool.exe
3824	software_reporter_tool.exe
3824	software_reporter_tool.exe
3824	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesoftware_reporter_tool.exechrome.exe

pid	process
4076	chrome.exe
4076	chrome.exe
2460	chrome.exe
2460	chrome.exe
4404	chrome.exe
4404	chrome.exe
4832	chrome.exe
4832	chrome.exe
1944	chrome.exe
1944	chrome.exe
460	chrome.exe
460	chrome.exe
536	chrome.exe
536	chrome.exe
1668	chrome.exe
1668	chrome.exe
2312	software_reporter_tool.exe
2312	software_reporter_tool.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

2460 chrome.exe
2460 chrome.exe
2460 chrome.exe
2460 chrome.exe
2460 chrome.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

description	pid	process
Token: 33	4580	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4580	software_reporter_tool.exe
Token: 33	2312	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2312	software_reporter_tool.exe
Token: 33	3824	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	3824	software_reporter_tool.exe
Token: 33	2396	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2396	software_reporter_tool.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2460 wrote to memory of 2692	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2692	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 3644	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4076	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4076	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4320	2460	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://143894913.coreaquatech.com/905100119/aHR0cHM6Ly9lbnF1aXJlLWFzay5vbmxpbmUvP2VtYWlsPXRrZWVsZXJAbWF5ZXJicm93bi5jb20=
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc57484f50,0x7ffc57484f60,0x7ffc57484f70
2⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1516 /prefetch:2
2⤵
PID:3644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1836 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 /prefetch:8
2⤵
PID:4320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:1
2⤵
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
2⤵
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4160 /prefetch:8
2⤵
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
2⤵
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
PID:2920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5028 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5004 /prefetch:8
2⤵
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4932 /prefetch:8
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
2⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2404 /prefetch:8
2⤵
PID:680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1404 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5480 /prefetch:8
2⤵
PID:164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4340 /prefetch:8
2⤵
PID:208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4164 /prefetch:8
2⤵
PID:1144

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=HFF4ZrHBCMOXZjG5YCAhMbH8Xc32n2h3ZCRJBhWh --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=102.286.200 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff63599ecc8,0x7ff63599ecd8,0x7ff63599ece8
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4580

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2312_WVUPQRDQTDCPQUHL" --sandboxed-process-id=2 --init-done-notifier=720 --sandbox-mojo-pipe-token=9560765442196870693 --mojo-platform-channel-handle=696 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3824

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2312_WVUPQRDQTDCPQUHL" --sandboxed-process-id=3 --init-done-notifier=928 --sandbox-mojo-pipe-token=526921179748273624 --mojo-platform-channel-handle=924
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4320 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,1576828702935519166,1230483256763880978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4468 /prefetch:8
2⤵
PID:4192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\software_reporter_tool.exe
Filesize
14.0MB

MD5
51a9cac9c4e8da44ffd7502be17604ee

SHA1
44543e0c6f30415c670c1322e61ca68602d58708

SHA256
6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323

SHA512
a30b1d043f4e0e64782c5b84651256338dcbaff19d1f98d4412f9f2f77172ed4444105d6e382397f92056fa383a2f1ebe611f37fb9efafab744e9ccb5478c2e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\software_reporter_tool.exe
Filesize
14.0MB

MD5
51a9cac9c4e8da44ffd7502be17604ee

SHA1
44543e0c6f30415c670c1322e61ca68602d58708

SHA256
6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323

SHA512
a30b1d043f4e0e64782c5b84651256338dcbaff19d1f98d4412f9f2f77172ed4444105d6e382397f92056fa383a2f1ebe611f37fb9efafab744e9ccb5478c2e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\software_reporter_tool.exe
Filesize
14.0MB

MD5
51a9cac9c4e8da44ffd7502be17604ee

SHA1
44543e0c6f30415c670c1322e61ca68602d58708

SHA256
6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323

SHA512
a30b1d043f4e0e64782c5b84651256338dcbaff19d1f98d4412f9f2f77172ed4444105d6e382397f92056fa383a2f1ebe611f37fb9efafab744e9ccb5478c2e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\software_reporter_tool.exe
Filesize
14.0MB

MD5
51a9cac9c4e8da44ffd7502be17604ee

SHA1
44543e0c6f30415c670c1322e61ca68602d58708

SHA256
6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323

SHA512
a30b1d043f4e0e64782c5b84651256338dcbaff19d1f98d4412f9f2f77172ed4444105d6e382397f92056fa383a2f1ebe611f37fb9efafab744e9ccb5478c2e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\software_reporter_tool.exe
Filesize
14.0MB

MD5
51a9cac9c4e8da44ffd7502be17604ee

SHA1
44543e0c6f30415c670c1322e61ca68602d58708

SHA256
6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323

SHA512
a30b1d043f4e0e64782c5b84651256338dcbaff19d1f98d4412f9f2f77172ed4444105d6e382397f92056fa383a2f1ebe611f37fb9efafab744e9ccb5478c2e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.log
Filesize
4KB

MD5
22550c6f83a549e2b5e744f1ce1d43a1

SHA1
83bcb79269ffb58153cc7cdc21481d676409b9bf

SHA256
20340074da18f14ddbb9edded2a65f62926700a725df42723b26d8c9fb570d58

SHA512
6076d0fae100f8e7a0a77f37e2e58caa185e13bfb92a82082850afe7add3817181bd0a51d340fbe3bab210874bf9caf49d266f77d83b720462fbd25f0eccb998

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
Filesize
40B

MD5
7e8c2cb143c32d2572b2288d296db2b6

SHA1
1d81891e19b0790a407bee5e0f7ddf90f3a0a943

SHA256
07e2cbb8aca3b1ffdadca5397e9b62212273dc340751c003747f7f6d53360382

SHA512
700cdca3cdb1cbf1b54bc8f4749530653c01b1d78a15c8f6a2ab73016c1fe2c4e85598c54f514ebee121767a31fbe23c89bd1cc6c9c6e669108414808e672f25

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
Filesize
40B

MD5
7e8c2cb143c32d2572b2288d296db2b6

SHA1
1d81891e19b0790a407bee5e0f7ddf90f3a0a943

SHA256
07e2cbb8aca3b1ffdadca5397e9b62212273dc340751c003747f7f6d53360382

SHA512
700cdca3cdb1cbf1b54bc8f4749530653c01b1d78a15c8f6a2ab73016c1fe2c4e85598c54f514ebee121767a31fbe23c89bd1cc6c9c6e669108414808e672f25

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
Filesize
40B

MD5
7e8c2cb143c32d2572b2288d296db2b6

SHA1
1d81891e19b0790a407bee5e0f7ddf90f3a0a943

SHA256
07e2cbb8aca3b1ffdadca5397e9b62212273dc340751c003747f7f6d53360382

SHA512
700cdca3cdb1cbf1b54bc8f4749530653c01b1d78a15c8f6a2ab73016c1fe2c4e85598c54f514ebee121767a31fbe23c89bd1cc6c9c6e669108414808e672f25

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\edls_64.dll
Filesize
449KB

MD5
79d7f318441c21d17739e43990697d1d

SHA1
9683265bf401d11313b768dfc4b3aeb10015d18c

SHA256
0ce49dc9f71360bf9dd21b8e3af4641834f85eed7d80a7de0940508437e68970

SHA512
67c7a7d3bbadeff21951809d2f843311328771ed46bc1ca14edba486263f56f86922668dd89d11b05a16130380b7543f7c9556d79503c505807407763e9d3595

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\em000_64.dll
Filesize
37KB

MD5
f8b7cac6e9587baabf4045c34890c7ce

SHA1
61814262c6ee5ceaab2c0263c913cae52e203af7

SHA256
8b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30

SHA512
4f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\em001_64.dll
Filesize
378KB

MD5
7adcb76ec34d774d1435b477e8625c47

SHA1
ec4ba0ad028c45489608c6822f3cabb683a07064

SHA256
a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d

SHA512
c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\em002_64.dll
Filesize
2.2MB

MD5
3a5093644dd4071aba6916c76bd5a5b5

SHA1
49ccbdb0de90f80e35dfd0077873a1a49a63a7b6

SHA256
88e899e431baa41906f067af6b609d20b7af35639fa48de64b298f53183d0f56

SHA512
91dc2c63203c4694f8fbadba5e52cbd803a7d20cae71f673f674dcba25069905e12d820a3202a33153a8f19318fe1107f1f4baccf52d4ce5961d2fcb958a9dd6

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\em003_64.dll
Filesize
1.3MB

MD5
cce9db3ce5cbac028584bebfd4d6dccc

SHA1
9f1cc4cba0491c759eca8dcad2777b3f2c012871

SHA256
81c2092dafc14b10a92bbf1644f592d5fad8ee0b77100611aa2c9e32bac6b604

SHA512
e1b4c6e3c3ba0018c19a4f6a55177e7e55a99b4a8ebebad0d9d891dfb1bd0c4589d95dac54857f1176e00dde635648a1112ea0e6a1efb626be2654de2f2e21e9

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\em004_64.dll
Filesize
6.1MB

MD5
ee46beaa6c9244880e8a510d080b4416

SHA1
a83c3946a2f53f064e91d8b60d5f6c697a560062

SHA256
d4f17bd032ead2a73340e6c14e24a3fa901d0fbae78f49fe4d368a01b788b49c

SHA512
4e69dddd1215b1675bac788996019ef3cb22418fbba75c0c7935dafb2b1742bad79cc9ea6814b5f8d1663657a7987499a155cdf57733d1afae42b0e25d475c25

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\102.286.200\em005_64.dll
Filesize
576KB

MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
\??\pipe\crashpad_2312_WVUPQRDQTDCPQUHL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_2460_GBYHWIIFXXTRMAKK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\edls_64.dll
Filesize
449KB

MD5
79d7f318441c21d17739e43990697d1d

SHA1
9683265bf401d11313b768dfc4b3aeb10015d18c

SHA256
0ce49dc9f71360bf9dd21b8e3af4641834f85eed7d80a7de0940508437e68970

SHA512
67c7a7d3bbadeff21951809d2f843311328771ed46bc1ca14edba486263f56f86922668dd89d11b05a16130380b7543f7c9556d79503c505807407763e9d3595

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\em000_64.dll
Filesize
37KB

MD5
f8b7cac6e9587baabf4045c34890c7ce

SHA1
61814262c6ee5ceaab2c0263c913cae52e203af7

SHA256
8b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30

SHA512
4f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\em001_64.dll
Filesize
378KB

MD5
7adcb76ec34d774d1435b477e8625c47

SHA1
ec4ba0ad028c45489608c6822f3cabb683a07064

SHA256
a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d

SHA512
c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\em002_64.dll
Filesize
2.2MB

MD5
3a5093644dd4071aba6916c76bd5a5b5

SHA1
49ccbdb0de90f80e35dfd0077873a1a49a63a7b6

SHA256
88e899e431baa41906f067af6b609d20b7af35639fa48de64b298f53183d0f56

SHA512
91dc2c63203c4694f8fbadba5e52cbd803a7d20cae71f673f674dcba25069905e12d820a3202a33153a8f19318fe1107f1f4baccf52d4ce5961d2fcb958a9dd6

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\em003_64.dll
Filesize
1.3MB

MD5
cce9db3ce5cbac028584bebfd4d6dccc

SHA1
9f1cc4cba0491c759eca8dcad2777b3f2c012871

SHA256
81c2092dafc14b10a92bbf1644f592d5fad8ee0b77100611aa2c9e32bac6b604

SHA512
e1b4c6e3c3ba0018c19a4f6a55177e7e55a99b4a8ebebad0d9d891dfb1bd0c4589d95dac54857f1176e00dde635648a1112ea0e6a1efb626be2654de2f2e21e9

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\em004_64.dll
Filesize
6.1MB

MD5
ee46beaa6c9244880e8a510d080b4416

SHA1
a83c3946a2f53f064e91d8b60d5f6c697a560062

SHA256
d4f17bd032ead2a73340e6c14e24a3fa901d0fbae78f49fe4d368a01b788b49c

SHA512
4e69dddd1215b1675bac788996019ef3cb22418fbba75c0c7935dafb2b1742bad79cc9ea6814b5f8d1663657a7987499a155cdf57733d1afae42b0e25d475c25

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\102.286.200\em005_64.dll
Filesize
576KB

MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
memory/2312-128-0x0000000000000000-mapping.dmp

Download
memory/2396-158-0x0000000000000000-mapping.dmp

Download
memory/3824-138-0x0000000000000000-mapping.dmp

Download
memory/4580-132-0x0000000000000000-mapping.dmp

Download