hxxps://www[.]youtube[.]com/watch?v=dQw4w9WgXcQ

Analysis

max time kernel
1683s
max time network
1703s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
06/09/2022, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/watch?v=dQw4w9WgXcQ

Score

10^/10

discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\1828_956814820\us_tv_and_film.txt

Ransom Note

you i to that it me what this know i'm no have my don't just not do be your we it's so but all well oh about right you're get here out going like yeah if can up want think that's now go him how got did why see come good really look will okay back can't mean tell i'll hey he's could didn't yes something because say take way little make need gonna never we're too she's i've sure our sorry what's let thing maybe down man very there's should anything said much any even off please doing thank give thought help talk god still wait find nothing again things let's doesn't call told great better ever night away believe feel everything you've fine last keep does put around stop they're i'd guy isn't always listen wanted guys huh those big lot happened thanks won't trying kind wrong talking guess care bad mom remember getting we'll together dad leave understand wouldn't actually hear baby nice father else stay done wasn't course might mind every enough try hell came someone you'll whole yourself idea ask must coming looking woman room knew tonight real son hope went hmm happy pretty saw girl sir friend already saying next job problem minute thinking haven't heard honey matter myself couldn't exactly having probably happen we've hurt boy dead gotta alone excuse start kill hard you'd today car ready without wants hold wanna yet seen deal once gone morning supposed friends head stuff worry live truth face forget true cause soon knows telling wife who's chance run move anyone person bye somebody heart miss making meet anyway phone reason damn lost looks bring case turn wish tomorrow kids trust check change anymore least aren't working makes taking means brother hate ago says beautiful gave fact crazy sit afraid important rest fun kid word watch glad everyone sister minutes everybody bit couple whoa either mrs feeling daughter wow gets asked break promise door close hand easy question tried far walk needs mine killed hospital anybody alright wedding shut able die perfect stand comes hit waiting dinner funny husband almost pay answer cool eyes news child shouldn't yours moment sleep read where's sounds sonny pick sometimes bed date plan hours lose hands serious shit behind inside ahead week wonderful fight past cut quite he'll sick it'll eat nobody goes save seems finally lives worried upset carly met brought seem sort safe weren't leaving front shot loved asking running clear figure hot felt parents drink absolutely how's daddy sweet alive sense meant happens bet blood ain't kidding lie meeting dear seeing sound fault ten buy hour speak lady jen thinks christmas outside hang possible worse mistake ooh handle spend totally giving here's marriage realize unless sex send needed scared picture talked ass hundred changed completely explain certainly sign boys relationship loves hair lying choice anywhere future weird luck she'll turned touch kiss crane questions obviously wonder pain calling somewhere throw straight cold fast words food none drive feelings they'll marry drop cannot dream protect twenty surprise sweetheart poor looked mad except gun y'know dance takes appreciate especially situation besides pull hasn't worth sheridan amazing expect swear piece busy happening movie we'd catch perhaps step fall watching kept darling dog honor moving till admit problems murder he'd evil definitely feels honest eye broke missed longer dollars tired evening starting entire trip niles suppose calm imagine fair caught blame sitting favor apartment terrible clean learn frasier relax accident wake prove smart message missing forgot interested table nbsp mouth pregnant ring careful shall dude ride figured wear shoot stick follow angry write stopped ran standing forgive jail wearing ladies kinda lunch cristian greenlee gotten hoping phoebe thousand ridge paper tough tape count boyfriend proud agree birthday they've share offer hurry feet wondering decision ones finish voice herself would've mess deserve evidence cute dress interesting hotel enjoy quiet concerned staying beat sweetie mention clothes fell neither mmm fix respect prison attention holding calls surprised bar keeping gift hadn't putting dark owe ice helping normal aunt lawyer apart plans jax girlfriend floor whether everything's box judge upstairs sake mommy possibly worst acting accept blow strange saved conversation plane mama yesterday lied quick lately stuck difference store she'd bought doubt listening walking cops deep dangerous buffy sleeping chloe rafe join card crime gentlemen willing window walked guilty likes fighting difficult soul joke favorite uncle promised bother seriously cell knowing broken advice somehow paid losing push helped killing boss liked innocent rules learned thirty risk letting speaking ridiculous afternoon apologize nervous charge patient boat how'd hide detective planning huge breakfast horrible awful pleasure driving hanging picked sell quit apparently dying notice congratulations visit could've c'mon letter decide forward fool showed smell seemed spell memory pictures slow seconds hungry hearing kitchen ma'am should've realized kick grab discuss fifty reading idiot suddenly agent destroy bucks shoes peace arms demon livvie consider papers incredible witch drunk attorney tells knock ways gives nose skye turns keeps jealous drug sooner cares plenty extra outta weekend matters gosh opportunity impossible waste pretend jump eating proof slept arrest breathe perfectly warm pulled twice easier goin dating suit romantic drugs comfortable finds checked divorce begin ourselves closer ruin smile laugh treat fear what'd otherwise excited mail hiding stole pacey noticed fired excellent bringing bottom note sudden bathroom honestly sing foot remind charges witness finding tree dare hardly that'll steal silly contact teach shop plus colonel fresh trial invited roll reach dirty choose emergency dropped butt credit obvious locked loving nuts agreed prue goodbye condition guard fuckin grow cake mood crap crying belong partner trick pressure dressed taste neck nurse raise lots carry whoever drinking they'd breaking file lock wine spot paying assume asleep turning viki bedroom shower nikolas camera fill reasons forty bigger nope breath doctors pants freak movies folks cream wild truly desk convince client threw hurts spending answers shirt chair rough doin sees ought empty wind aware dealing pack tight hurting guest arrested salem confused surgery expecting deacon unfortunately goddamn bottle beyond whenever pool opinion starts jerk secrets falling necessary barely dancing tests copy cousin ahem twelve tess skin fifteen speech orders complicated nowhere escape biggest restaurant grateful usual burn address someplace screw everywhere regret goodness mistakes details responsibility suspect corner hero dumb terrific whoo hole memories o'clock teeth ruined bite stenbeck liar showing cards desperate search pathetic spoke scare marah afford settle stayed checking hired heads concern blew alcazar champagne connection tickets happiness saving kissing hated personally suggest prepared onto downstairs ticket it'd loose holy duty convinced throwing kissed legs loud saturday babies where'd warning miracle carrying blind ugly shopping hates sight bride coat clearly celebrate brilliant wanting forrester lips custody screwed buying toast thoughts reality lexie attitude advantage grandfather sami grandma someday roof marrying powerful grown grandmother fake must've ideas exciting familiar bomb bout harmony schedule capable practically correct clue forgotten appointment deserves threat bloody lonely shame jacket hook scary investigation invite shooting lesson criminal victim funeral considering burning strength harder sisters pushed shock pushing heat chocolate miserable corinthos nightmare brings zander crash chances sending recognize healthy boring feed engaged headed treated knife drag badly hire paint pardon behavior closet warn gorgeous milk survive ends dump rent remembered thanksgiving rain revenge prefer spare pray disappeared aside statement sometime meat fantastic breathing laughing stood affair ours depends protecting jury brave fingers murdered explanation picking blah stronger handsome unbelievable anytime shake oakdale wherever pulling facts waited lousy circumstances disappointed weak trusted license nothin trash understanding slip sounded awake friendship stomach weapon threatened mystery vegas understood basically switch frankly cheap lifetime deny clock garbage why'd tear ears indeed changing singing tiny decent avoid messed filled touched disappear exact pills kicked harm fortune pretending insurance fancy drove cared belongs nights lorelai lift timing guarantee chest woke burned watched heading selfish drinks doll committed elevator freeze noise wasting ceremony uncomfortable staring files bike stress permission thrown possibility borrow fabulous doors screaming bone xander what're meal apology anger honeymoon bail parking fixed wash stolen sensitive stealing photo chose lets comfort worrying pocket mateo bleeding shoulder ignore talent tied garage dies demons dumped witches rude crack bothering radar soft meantime gimme kinds fate concentrate throat prom messages intend ashamed somethin manage guilt interrupt guts tongue shoe basement sentence purse glasses cabin universe repeat mirror wound travers tall engagement therapy emotional jeez decisions soup thrilled stake chef moves extremely moments expensive counting shots kidnapped cleaning shift plate impressed smells trapped aidan knocked charming attractive argue puts whip embarrassed package hitting bust stairs alarm pure nail nerve incredibly walks dirt stamp terribly friendly damned jobs suffering disgusting stopping deliver riding helps disaster bars crossed trap talks eggs chick threatening spoken introduce confession embarrassing bags impression gate reputation presents chat suffer argument talkin crowd homework coincidence cancel pride solve hopefully pounds pine mate illegal generous outfit maid bath punch freaked begging recall enjoying prepare wheel defend signs painful yourselves maris that'd suspicious cooking button warned sixty pity yelling awhile confidence offering pleased panic hers gettin refuse grandpa testify choices cruel mental gentleman coma cutting proteus guests expert benefit faces jumped toilet sneak halloween privacy smoking reminds twins swing solid options commitment crush ambulance wallet gang eleven option laundry assure stays skip fail discussion clinic betrayed sticking bored mansion soda sheriff suite handled busted load happier studying romance procedure commit assignment suicide minds swim yell llanview chasing proper believes humor hopes lawyers giant latest escaped parent tricks insist dropping cheer medication flesh routine sandwich handed false beating warrant awfully odds treating thin suggesting fever sweat silent clever sweater mall sharing assuming judgment goodnight divorced surely steps confess math listened comin answered vulnerable bless dreaming chip zero pissed nate kills tears knees chill brains unusual packed dreamed cure lookin grave cheating breaks locker gifts awkward thursday joking reasonable dozen curse quartermaine millions dessert rolling detail alien delicious closing vampires wore tail secure salad murderer spit offense dust conscience bread answering lame invitation grief smiling pregnancy prisoner delivery guards virus shrink freezing wreck massimo wire technically blown anxious cave holidays cleared wishes caring candles bound charm pulse jumping jokes boom occasion silence nonsense frightened slipped dimera blowing relationships kidnapping spin tool roxy packing blaming wrap obsessed fruit torture personality there'll fairy necessarily seventy print motel underwear grams exhausted believing freaking carefully trace touching messing recovery intention consequences belt sacrifice courage enjoyed attracted remove testimony intense heal defending unfair relieved loyal slowly buzz alcohol surprises psychiatrist plain attic who'd uniform terrified cleaned zach threaten fella enemies satisfied imagination hooked headache forgetting counselor andie acted badge naturally frozen sakes appropriate trunk dunno costume sixteen impressive kicking junk grabbed understands describe clients owns affect witnesses starving instincts happily discussing deserved strangers surveillance admire questioning dragged barn deeply wrapped wasted tense hoped fellas roommate mortal fascinating stops arrangements agenda literally propose honesty underneath sauce promises lecture eighty torn shocked backup differently ninety deck biological pheebs ease creep waitress telephone ripped raising scratch rings prints thee arguing ephram asks oops diner annoying taggert sergeant blast towel clown habit creature bermuda snap react paranoid handling eaten therapist comment sink reporter nurses beats priority interrupting warehouse loyalty inspector pleasant excuses threats guessing tend praying motive unconscious mysterious unhappy tone switched rappaport sookie neighbor loaded swore piss balance toss misery thief squeeze lobby goa'uld geez exercise forth booked sandburg poker eighteen d'you bury everyday digging creepy wondered liver hmmm magical fits discussed moral helpful searching flew depressed aisle cris amen vows neighbors darn cents arrange annulment useless adventure resist fourteen celebrating inch debt violent sand teal'c celebration reminded phones paperwork emotions stubborn pound tension stroke steady overnight chips beef suits boxes cassadine collect tragedy spoil realm wipe surgeon stretch stepped nephew neat limo confident perspective climb punishment finest springfield hint furniture blanket twist proceed fries worries niece gloves soap signature disappoint crawl convicted flip counsel doubts crimes accusing shaking remembering hallway halfway bothered madam gather cameras blackmail symptoms rope ordinary imagined cigarette supportive explosion trauma ouch furious cheat avoiding whew thick oooh boarding approve urgent shhh misunderstanding drawer phony interfere catching bargain tragic respond punish penthouse thou rach ohhh insult bugs beside begged absolute strictly socks senses sneaking reward polite checks tale physically instructions fooled blows tabby bitter adorable y'all tested suggestion jewelry alike jacks distracted shelter lessons constable circus audition tune shoulders mask helpless feeding explains sucked robbery objection behave valuable shadows courtroom confusing talented smarter mistaken customer bizarre scaring motherfucker alert vecchio reverend foolish compliment bastards worker wheelchair protective gentle reverse picnic knee cage wives wednesday voices toes stink scares pour cheated slide ruining filling exit cottage upside proves parked diary complaining confessed pipe merely massage chop spill prayer betray waiter scam rats fraud brush tables sympathy pill filthy seventeen employee bracelet pays fairly deeper arrive tracking spite shed recommend oughta nanny menu diet corn roses patch dime devastated subtle bullets beans pile confirm strings parade borrowed toys straighten steak premonition planted honored exam convenient traveling laying insisted dish aitoro kindly grandson donor temper teenager proven mothers denial backwards tent swell noon happiest drives thinkin spirits potion holes fence whatsoever rehearsal overheard lemme hostage bench tryin taxi shove moron impress needle intelligent instant disagree stinks rianna recover groom gesture constantly bartender suspects sealed legally hears dresses sheet psychic teenage knocking judging accidentally waking rumor manners homeless hollow desperately tapes referring item genoa gear majesty cried tons spells instinct quote motorcycle convincing fashioned aids accomplished grip bump upsetting needing invisible forgiveness feds compare bothers tooth inviting earn compromise cocktail tramp jabot intimate dignity dealt souls informed gods dressing cigarettes alistair leak fond corky seduce liquor fingerprints enchantment butters stuffed stavros emotionally transplant tips oxygen nicely lunatic drill complain announcement unfortunate slap prayers plug opens oath o'neill mutual yacht remembers fried extraordinary bait warton sworn stare safely reunion burst might've dive aboard expose buddies trusting booze sweep sore scudder properly parole ditch cancele

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1308	software_reporter_tool.exe
3408	software_reporter_tool.exe
5068	software_reporter_tool.exe
4060	software_reporter_tool.exe
160	ChromeRecovery.exe

Loads dropped DLL 7 IoCs

pid	Process
5068	software_reporter_tool.exe
5068	software_reporter_tool.exe
5068	software_reporter_tool.exe
5068	software_reporter_tool.exe
5068	software_reporter_tool.exe
5068	software_reporter_tool.exe
5068	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4712_1830947680\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4712_1830947680\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4712_1830947680\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4712_1830947680\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4712_1830947680\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4712_1830947680\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4712_1830947680\ChromeRecovery.exe	elevation_service.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3032	chrome.exe
3032	chrome.exe
1828	chrome.exe
1828	chrome.exe
4892	chrome.exe
4892	chrome.exe
5076	chrome.exe
5076	chrome.exe
4708	chrome.exe
4708	chrome.exe
224	chrome.exe
236	chrome.exe
224	chrome.exe
236	chrome.exe
2292	chrome.exe
2292	chrome.exe
612	chrome.exe
612	chrome.exe
1828	chrome.exe
1828	chrome.exe
1972	chrome.exe
1972	chrome.exe
1312	chrome.exe
1312	chrome.exe
1308	software_reporter_tool.exe
1308	software_reporter_tool.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
220	chrome.exe
220	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	4860	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4860	AUDIODG.EXE
Token: 33	3408	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	3408	software_reporter_tool.exe
Token: 33	1308	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1308	software_reporter_tool.exe
Token: 33	5068	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5068	software_reporter_tool.exe
Token: 33	4060	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4060	software_reporter_tool.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 1820	1828	chrome.exe	66
PID 1828 wrote to memory of 1820	1828	chrome.exe	66
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 2828	1828	chrome.exe	68
PID 1828 wrote to memory of 3032	1828	chrome.exe	69
PID 1828 wrote to memory of 3032	1828	chrome.exe	69
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70
PID 1828 wrote to memory of 3432	1828	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/watch?v=dQw4w9WgXcQ
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7fff113b4f50,0x7fff113b4f60,0x7fff113b4f70
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1636 /prefetch:2
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 /prefetch:8
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4112 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4232 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:1516
- C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe
  "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=74YDgBOuvbdlPlmDkr63DbWaM2qF8ryXErHsoUaK --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=104.288.200 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6d1022d20,0x7ff6d1022d30,0x7ff6d1022d40
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3408
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_1308_CJEAJTVLJLTUSHAT" --sandboxed-process-id=2 --init-done-notifier=720 --sandbox-mojo-pipe-token=16880564021474151376 --mojo-platform-channel-handle=696 --engine=2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_1308_CJEAJTVLJLTUSHAT" --sandboxed-process-id=3 --init-done-notifier=928 --sandbox-mojo-pipe-token=17769465900435313059 --mojo-platform-channel-handle=924
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2012 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,9524554961082876558,9829362228796851334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:4384

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4712
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4712_1830947680\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4712_1830947680\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={e3347507-d4b6-493b-8736-2dac30d1ecf9} --system
  2⤵
  - Executes dropped EXE
  PID:160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4712_1830947680\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe

Filesize
14.0MB

MD5
e6d6ddba378f802fff618da5fc2f6b8a

SHA1
b6a2ea50a699349ae045012819e19edc689fbcc4

SHA256
df958e7e33838f0edc01897959f05a80a69413bc9e498015161c6a77d1bf5c6a

SHA512
2699f306fb2ad3ae75456a4fa844a26c0006048dbe96a0281c80ffd4a625b479a32786da83fa86561d401a5dc0b3d6ea6a1b6f90d9b8354c2654b0a91739e202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe

Filesize
14.0MB

MD5
e6d6ddba378f802fff618da5fc2f6b8a

SHA1
b6a2ea50a699349ae045012819e19edc689fbcc4

SHA256
df958e7e33838f0edc01897959f05a80a69413bc9e498015161c6a77d1bf5c6a

SHA512
2699f306fb2ad3ae75456a4fa844a26c0006048dbe96a0281c80ffd4a625b479a32786da83fa86561d401a5dc0b3d6ea6a1b6f90d9b8354c2654b0a91739e202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe

Filesize
14.0MB

MD5
e6d6ddba378f802fff618da5fc2f6b8a

SHA1
b6a2ea50a699349ae045012819e19edc689fbcc4

SHA256
df958e7e33838f0edc01897959f05a80a69413bc9e498015161c6a77d1bf5c6a

SHA512
2699f306fb2ad3ae75456a4fa844a26c0006048dbe96a0281c80ffd4a625b479a32786da83fa86561d401a5dc0b3d6ea6a1b6f90d9b8354c2654b0a91739e202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe

Filesize
14.0MB

MD5
e6d6ddba378f802fff618da5fc2f6b8a

SHA1
b6a2ea50a699349ae045012819e19edc689fbcc4

SHA256
df958e7e33838f0edc01897959f05a80a69413bc9e498015161c6a77d1bf5c6a

SHA512
2699f306fb2ad3ae75456a4fa844a26c0006048dbe96a0281c80ffd4a625b479a32786da83fa86561d401a5dc0b3d6ea6a1b6f90d9b8354c2654b0a91739e202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe

Filesize
14.0MB

MD5
e6d6ddba378f802fff618da5fc2f6b8a

SHA1
b6a2ea50a699349ae045012819e19edc689fbcc4

SHA256
df958e7e33838f0edc01897959f05a80a69413bc9e498015161c6a77d1bf5c6a

SHA512
2699f306fb2ad3ae75456a4fa844a26c0006048dbe96a0281c80ffd4a625b479a32786da83fa86561d401a5dc0b3d6ea6a1b6f90d9b8354c2654b0a91739e202

Download Submit
C:\Users\Admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.log

Filesize
2KB

MD5
b86e847e0ce19ba7d3928a5902f98f38

SHA1
27003e2fa488201a0739f98a2bf3bfd9aacec972

SHA256
0eef8e3f84e6cdf582b5f722e319c3aedaa7300905a3ef71001cd039f489efe9

SHA512
bbfc4e30220901dba250ad059e42f9674b1121f3546c858cad00135b14723a99b0f1c268af01b6f0af8a34c7d2a052c3c11fe53c5d55e3585a71e0827c26e4f3

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat

Filesize
40B

MD5
d5cff0920fdd154f477a184ba1dc23a1

SHA1
073c3272b22ff3a7c6cb231ce86252feab631246

SHA256
f09c509b543d5536c70b9e20157079ad285ecc1a873a8e996cb772d014e4fc23

SHA512
82d67174e9bfaed927a2e91f18f325bd592e0dad4313bd64ca6a38cce3500882b1322481462fc474dad77190c43ae066ddf5e5c47f036f45d15a49b8e074ed9b

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat

Filesize
40B

MD5
d5cff0920fdd154f477a184ba1dc23a1

SHA1
073c3272b22ff3a7c6cb231ce86252feab631246

SHA256
f09c509b543d5536c70b9e20157079ad285ecc1a873a8e996cb772d014e4fc23

SHA512
82d67174e9bfaed927a2e91f18f325bd592e0dad4313bd64ca6a38cce3500882b1322481462fc474dad77190c43ae066ddf5e5c47f036f45d15a49b8e074ed9b

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\edls_64.dll

Filesize
449KB

MD5
79d7f318441c21d17739e43990697d1d

SHA1
9683265bf401d11313b768dfc4b3aeb10015d18c

SHA256
0ce49dc9f71360bf9dd21b8e3af4641834f85eed7d80a7de0940508437e68970

SHA512
67c7a7d3bbadeff21951809d2f843311328771ed46bc1ca14edba486263f56f86922668dd89d11b05a16130380b7543f7c9556d79503c505807407763e9d3595

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\em000_64.dll

Filesize
37KB

MD5
f8b7cac6e9587baabf4045c34890c7ce

SHA1
61814262c6ee5ceaab2c0263c913cae52e203af7

SHA256
8b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30

SHA512
4f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\em001_64.dll

Filesize
378KB

MD5
7adcb76ec34d774d1435b477e8625c47

SHA1
ec4ba0ad028c45489608c6822f3cabb683a07064

SHA256
a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d

SHA512
c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\em002_64.dll

Filesize
2.2MB

MD5
1b573c20bf9df046d134fe127f0fa306

SHA1
a7400ea404c8f66f36b1bc8ed7f5a376e4966bac

SHA256
38874996fb8568205fbec9254cf63b504bdb93422a6966dcb4e5d47e977601a7

SHA512
5a7149558932987c24ac768cb6805cc8136ffa0660dcc09e50986dd43ae2809eee77376f2e205e84f346b4ea0e841d441f64bc8616980968791ff6b0c6e2b01d

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\em003_64.dll

Filesize
1.3MB

MD5
afa6a767b0745cb03c1e7f5189b258df

SHA1
fb834620cb82c9354c103820ed53d67ae1550dcc

SHA256
4539600b2b1c78aaae0f1a6766125afd07e24d3b4da5f3c875adf34e9ff8956c

SHA512
a4f629a0ebac36b6f4c0f6c91b9a72a87fc716fc90c2e2786d8063b09372f045bb0ec4a0cb266e3ea89474939fc0bb6cf8589abd20e0142d4b37987dfdd0ece4

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\em004_64.dll

Filesize
6.1MB

MD5
ee46beaa6c9244880e8a510d080b4416

SHA1
a83c3946a2f53f064e91d8b60d5f6c697a560062

SHA256
d4f17bd032ead2a73340e6c14e24a3fa901d0fbae78f49fe4d368a01b788b49c

SHA512
4e69dddd1215b1675bac788996019ef3cb22418fbba75c0c7935dafb2b1742bad79cc9ea6814b5f8d1663657a7987499a155cdf57733d1afae42b0e25d475c25

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\em005_64.dll

Filesize
576KB

MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\edls_64.dll

Filesize
449KB

MD5
79d7f318441c21d17739e43990697d1d

SHA1
9683265bf401d11313b768dfc4b3aeb10015d18c

SHA256
0ce49dc9f71360bf9dd21b8e3af4641834f85eed7d80a7de0940508437e68970

SHA512
67c7a7d3bbadeff21951809d2f843311328771ed46bc1ca14edba486263f56f86922668dd89d11b05a16130380b7543f7c9556d79503c505807407763e9d3595

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\em000_64.dll

Filesize
37KB

MD5
f8b7cac6e9587baabf4045c34890c7ce

SHA1
61814262c6ee5ceaab2c0263c913cae52e203af7

SHA256
8b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30

SHA512
4f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\em001_64.dll

Filesize
378KB

MD5
7adcb76ec34d774d1435b477e8625c47

SHA1
ec4ba0ad028c45489608c6822f3cabb683a07064

SHA256
a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d

SHA512
c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\em002_64.dll

Filesize
2.2MB

MD5
1b573c20bf9df046d134fe127f0fa306

SHA1
a7400ea404c8f66f36b1bc8ed7f5a376e4966bac

SHA256
38874996fb8568205fbec9254cf63b504bdb93422a6966dcb4e5d47e977601a7

SHA512
5a7149558932987c24ac768cb6805cc8136ffa0660dcc09e50986dd43ae2809eee77376f2e205e84f346b4ea0e841d441f64bc8616980968791ff6b0c6e2b01d

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\em003_64.dll

Filesize
1.3MB

MD5
afa6a767b0745cb03c1e7f5189b258df

SHA1
fb834620cb82c9354c103820ed53d67ae1550dcc

SHA256
4539600b2b1c78aaae0f1a6766125afd07e24d3b4da5f3c875adf34e9ff8956c

SHA512
a4f629a0ebac36b6f4c0f6c91b9a72a87fc716fc90c2e2786d8063b09372f045bb0ec4a0cb266e3ea89474939fc0bb6cf8589abd20e0142d4b37987dfdd0ece4

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\em004_64.dll

Filesize
6.1MB

MD5
ee46beaa6c9244880e8a510d080b4416

SHA1
a83c3946a2f53f064e91d8b60d5f6c697a560062

SHA256
d4f17bd032ead2a73340e6c14e24a3fa901d0fbae78f49fe4d368a01b788b49c

SHA512
4e69dddd1215b1675bac788996019ef3cb22418fbba75c0c7935dafb2b1742bad79cc9ea6814b5f8d1663657a7987499a155cdf57733d1afae42b0e25d475c25

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\em005_64.dll

Filesize
576KB

MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
memory/160-184-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-198-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-229-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-189-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-191-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-166-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-167-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-168-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-169-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-170-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-171-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-172-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-173-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-174-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-175-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-177-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-178-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-179-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-180-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-176-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-181-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-182-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-183-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-202-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-185-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-186-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-187-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-188-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-190-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-192-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-193-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-194-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-195-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-196-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-199-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-200-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-203-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-197-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-201-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-204-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-205-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-207-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-209-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-211-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-214-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-217-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-220-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-223-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-226-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-228-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-227-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-225-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-224-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-222-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-221-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-219-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-218-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-216-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-215-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-213-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-212-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-210-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-208-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/160-206-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/5068-160-0x00000182E0F00000-0x00000182E0F40000-memory.dmp

Filesize
256KB

Download
memory/5068-233-0x00000182E0F00000-0x00000182E0F40000-memory.dmp

Filesize
256KB

Download
memory/5068-234-0x00000182E0F00000-0x00000182E0F40000-memory.dmp

Filesize
256KB

Download
memory/5068-235-0x00000182E0F00000-0x00000182E0F40000-memory.dmp

Filesize
256KB

Download
memory/5068-236-0x00000182E0F00000-0x00000182E0F40000-memory.dmp

Filesize
256KB

Download