hxxps://acrobat[.]adobe[.]com/link/track?uri=urn[:]aaid[:]scds[:]US[:]f107c08b-3bb4-42e9-9911-3de1ae1d833d

Analysis

max time kernel
297s
max time network
302s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
15/09/2022, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:f107c08b-3bb4-42e9-9911-3de1ae1d833d

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3392	software_reporter_tool.exe
200	software_reporter_tool.exe
3312	software_reporter_tool.exe
2948	software_reporter_tool.exe

Loads dropped DLL 7 IoCs

pid	Process
3312	software_reporter_tool.exe
3312	software_reporter_tool.exe
3312	software_reporter_tool.exe
3312	software_reporter_tool.exe
3312	software_reporter_tool.exe
3312	software_reporter_tool.exe
3312	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3864	chrome.exe
3864	chrome.exe
2844	chrome.exe
2844	chrome.exe
3284	chrome.exe
3284	chrome.exe
2656	chrome.exe
2656	chrome.exe
4840	chrome.exe
4840	chrome.exe
3192	chrome.exe
3192	chrome.exe
540	chrome.exe
540	chrome.exe
1204	chrome.exe
1204	chrome.exe
2844	chrome.exe
2844	chrome.exe
944	chrome.exe
944	chrome.exe
188	chrome.exe
188	chrome.exe
3392	software_reporter_tool.exe
3392	software_reporter_tool.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	200	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	200	software_reporter_tool.exe
Token: 33	3392	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	3392	software_reporter_tool.exe
Token: 33	3312	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	3312	software_reporter_tool.exe
Token: 33	2948	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2948	software_reporter_tool.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2856	2844	chrome.exe	66
PID 2844 wrote to memory of 2856	2844	chrome.exe	66
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 4628	2844	chrome.exe	69
PID 2844 wrote to memory of 3864	2844	chrome.exe	68
PID 2844 wrote to memory of 3864	2844	chrome.exe	68
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70
PID 2844 wrote to memory of 3704	2844	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:f107c08b-3bb4-42e9-9911-3de1ae1d833d
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa6a6d4f50,0x7ffa6a6d4f60,0x7ffa6a6d4f70
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1664 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1600 /prefetch:2
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2936 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4208 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4444 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4424 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2368 /prefetch:8
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2404 /prefetch:8
  2⤵
  PID:1196
- C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe
  "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=s860cySy5PjN/81PANTsXz1vNhUfwUtBfQwfqPoc --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=104.288.200 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6ac132d20,0x7ff6ac132d30,0x7ff6ac132d40
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:200
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3392_EYKWYSDSVGUWPQVM" --sandboxed-process-id=2 --init-done-notifier=720 --sandbox-mojo-pipe-token=18366919786048460829 --mojo-platform-channel-handle=696 --engine=2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3312
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3392_EYKWYSDSVGUWPQVM" --sandboxed-process-id=3 --init-done-notifier=928 --sandbox-mojo-pipe-token=3749745229617604026 --mojo-platform-channel-handle=924
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5604 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,17071398805918342960,6292676075144635725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:5036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe

Filesize
14.0MB

MD5
e6d6ddba378f802fff618da5fc2f6b8a

SHA1
b6a2ea50a699349ae045012819e19edc689fbcc4

SHA256
df958e7e33838f0edc01897959f05a80a69413bc9e498015161c6a77d1bf5c6a

SHA512
2699f306fb2ad3ae75456a4fa844a26c0006048dbe96a0281c80ffd4a625b479a32786da83fa86561d401a5dc0b3d6ea6a1b6f90d9b8354c2654b0a91739e202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe

Filesize
14.0MB

MD5
e6d6ddba378f802fff618da5fc2f6b8a

SHA1
b6a2ea50a699349ae045012819e19edc689fbcc4

SHA256
df958e7e33838f0edc01897959f05a80a69413bc9e498015161c6a77d1bf5c6a

SHA512
2699f306fb2ad3ae75456a4fa844a26c0006048dbe96a0281c80ffd4a625b479a32786da83fa86561d401a5dc0b3d6ea6a1b6f90d9b8354c2654b0a91739e202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe

Filesize
14.0MB

MD5
e6d6ddba378f802fff618da5fc2f6b8a

SHA1
b6a2ea50a699349ae045012819e19edc689fbcc4

SHA256
df958e7e33838f0edc01897959f05a80a69413bc9e498015161c6a77d1bf5c6a

SHA512
2699f306fb2ad3ae75456a4fa844a26c0006048dbe96a0281c80ffd4a625b479a32786da83fa86561d401a5dc0b3d6ea6a1b6f90d9b8354c2654b0a91739e202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe

Filesize
14.0MB

MD5
e6d6ddba378f802fff618da5fc2f6b8a

SHA1
b6a2ea50a699349ae045012819e19edc689fbcc4

SHA256
df958e7e33838f0edc01897959f05a80a69413bc9e498015161c6a77d1bf5c6a

SHA512
2699f306fb2ad3ae75456a4fa844a26c0006048dbe96a0281c80ffd4a625b479a32786da83fa86561d401a5dc0b3d6ea6a1b6f90d9b8354c2654b0a91739e202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe

Filesize
14.0MB

MD5
e6d6ddba378f802fff618da5fc2f6b8a

SHA1
b6a2ea50a699349ae045012819e19edc689fbcc4

SHA256
df958e7e33838f0edc01897959f05a80a69413bc9e498015161c6a77d1bf5c6a

SHA512
2699f306fb2ad3ae75456a4fa844a26c0006048dbe96a0281c80ffd4a625b479a32786da83fa86561d401a5dc0b3d6ea6a1b6f90d9b8354c2654b0a91739e202

Download Submit
C:\Users\Admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.log

Filesize
4KB

MD5
9ce15a69b1041b44a2082615549d6a03

SHA1
eb1f196224b54858e0dc49958811e121cdb94d23

SHA256
d04ee0b30a5cd431f9a20a8b32395a070e635213be7a14a62c34fbda769a6ee1

SHA512
def29c20319999400345fe85b2852887ed5ba1a2f831f91a58cc92d6012cb249a5084568e56f6c49ea6ba3931f4c0181da6883316681eacfdb30e455feeaef9d

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat

Filesize
40B

MD5
59e0c82afa3d67c79670bd5edc86629e

SHA1
7222a1c36891c4ccbd8abc2393c4743daa523edb

SHA256
8d7bea92704e00da5282ffa8bdbcf49b09f68fad4c8e186a1ba5a9276d20fa61

SHA512
368cb4b7432f3ed34b70122e875b1e86a6bdc5a95033d80c5a038ad6f1afe5ef98453a4647c93350ead88f3c81817b1bdb22780b4876ebb5f923bfa3ffe7a2fc

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat

Filesize
40B

MD5
59e0c82afa3d67c79670bd5edc86629e

SHA1
7222a1c36891c4ccbd8abc2393c4743daa523edb

SHA256
8d7bea92704e00da5282ffa8bdbcf49b09f68fad4c8e186a1ba5a9276d20fa61

SHA512
368cb4b7432f3ed34b70122e875b1e86a6bdc5a95033d80c5a038ad6f1afe5ef98453a4647c93350ead88f3c81817b1bdb22780b4876ebb5f923bfa3ffe7a2fc

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\edls_64.dll

Filesize
449KB

MD5
79d7f318441c21d17739e43990697d1d

SHA1
9683265bf401d11313b768dfc4b3aeb10015d18c

SHA256
0ce49dc9f71360bf9dd21b8e3af4641834f85eed7d80a7de0940508437e68970

SHA512
67c7a7d3bbadeff21951809d2f843311328771ed46bc1ca14edba486263f56f86922668dd89d11b05a16130380b7543f7c9556d79503c505807407763e9d3595

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\em000_64.dll

Filesize
37KB

MD5
f8b7cac6e9587baabf4045c34890c7ce

SHA1
61814262c6ee5ceaab2c0263c913cae52e203af7

SHA256
8b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30

SHA512
4f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\em001_64.dll

Filesize
378KB

MD5
7adcb76ec34d774d1435b477e8625c47

SHA1
ec4ba0ad028c45489608c6822f3cabb683a07064

SHA256
a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d

SHA512
c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\em002_64.dll

Filesize
2.2MB

MD5
1b573c20bf9df046d134fe127f0fa306

SHA1
a7400ea404c8f66f36b1bc8ed7f5a376e4966bac

SHA256
38874996fb8568205fbec9254cf63b504bdb93422a6966dcb4e5d47e977601a7

SHA512
5a7149558932987c24ac768cb6805cc8136ffa0660dcc09e50986dd43ae2809eee77376f2e205e84f346b4ea0e841d441f64bc8616980968791ff6b0c6e2b01d

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\em003_64.dll

Filesize
1.3MB

MD5
afa6a767b0745cb03c1e7f5189b258df

SHA1
fb834620cb82c9354c103820ed53d67ae1550dcc

SHA256
4539600b2b1c78aaae0f1a6766125afd07e24d3b4da5f3c875adf34e9ff8956c

SHA512
a4f629a0ebac36b6f4c0f6c91b9a72a87fc716fc90c2e2786d8063b09372f045bb0ec4a0cb266e3ea89474939fc0bb6cf8589abd20e0142d4b37987dfdd0ece4

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\em004_64.dll

Filesize
6.1MB

MD5
ee46beaa6c9244880e8a510d080b4416

SHA1
a83c3946a2f53f064e91d8b60d5f6c697a560062

SHA256
d4f17bd032ead2a73340e6c14e24a3fa901d0fbae78f49fe4d368a01b788b49c

SHA512
4e69dddd1215b1675bac788996019ef3cb22418fbba75c0c7935dafb2b1742bad79cc9ea6814b5f8d1663657a7987499a155cdf57733d1afae42b0e25d475c25

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\em005_64.dll

Filesize
576KB

MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\edls_64.dll

Filesize
449KB

MD5
79d7f318441c21d17739e43990697d1d

SHA1
9683265bf401d11313b768dfc4b3aeb10015d18c

SHA256
0ce49dc9f71360bf9dd21b8e3af4641834f85eed7d80a7de0940508437e68970

SHA512
67c7a7d3bbadeff21951809d2f843311328771ed46bc1ca14edba486263f56f86922668dd89d11b05a16130380b7543f7c9556d79503c505807407763e9d3595

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\em000_64.dll

Filesize
37KB

MD5
f8b7cac6e9587baabf4045c34890c7ce

SHA1
61814262c6ee5ceaab2c0263c913cae52e203af7

SHA256
8b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30

SHA512
4f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\em001_64.dll

Filesize
378KB

MD5
7adcb76ec34d774d1435b477e8625c47

SHA1
ec4ba0ad028c45489608c6822f3cabb683a07064

SHA256
a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d

SHA512
c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\em002_64.dll

Filesize
2.2MB

MD5
1b573c20bf9df046d134fe127f0fa306

SHA1
a7400ea404c8f66f36b1bc8ed7f5a376e4966bac

SHA256
38874996fb8568205fbec9254cf63b504bdb93422a6966dcb4e5d47e977601a7

SHA512
5a7149558932987c24ac768cb6805cc8136ffa0660dcc09e50986dd43ae2809eee77376f2e205e84f346b4ea0e841d441f64bc8616980968791ff6b0c6e2b01d

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\em003_64.dll

Filesize
1.3MB

MD5
afa6a767b0745cb03c1e7f5189b258df

SHA1
fb834620cb82c9354c103820ed53d67ae1550dcc

SHA256
4539600b2b1c78aaae0f1a6766125afd07e24d3b4da5f3c875adf34e9ff8956c

SHA512
a4f629a0ebac36b6f4c0f6c91b9a72a87fc716fc90c2e2786d8063b09372f045bb0ec4a0cb266e3ea89474939fc0bb6cf8589abd20e0142d4b37987dfdd0ece4

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\em004_64.dll

Filesize
6.1MB

MD5
ee46beaa6c9244880e8a510d080b4416

SHA1
a83c3946a2f53f064e91d8b60d5f6c697a560062

SHA256
d4f17bd032ead2a73340e6c14e24a3fa901d0fbae78f49fe4d368a01b788b49c

SHA512
4e69dddd1215b1675bac788996019ef3cb22418fbba75c0c7935dafb2b1742bad79cc9ea6814b5f8d1663657a7987499a155cdf57733d1afae42b0e25d475c25

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\em005_64.dll

Filesize
576KB

MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
memory/3312-158-0x000001664DE40000-0x000001664DE80000-memory.dmp

Filesize
256KB

Download
memory/3312-159-0x000001664DE40000-0x000001664DE80000-memory.dmp

Filesize
256KB

Download
memory/3312-160-0x000001664DE40000-0x000001664DE80000-memory.dmp

Filesize
256KB

Download
memory/3312-161-0x000001664DE40000-0x000001664DE80000-memory.dmp

Filesize
256KB

Download
memory/3312-162-0x000001664DE40000-0x000001664DE80000-memory.dmp

Filesize
256KB

Download