bitrat | hxxp://45[.]95[.]169[.]45[:]23205/

Resubmissions

22-11-2022 00:51

221122-a7gqmagg5y 8

21-11-2022 23:09

21-11-2022 21:54

21-11-2022 21:30

21-11-2022 20:42

21-11-2022 19:29

Analysis

max time kernel
1801s
max time network
1804s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://45.95.169.45:23205/

Score

10^/10

bitrat cobaltstrike xmrig 0 backdoor discovery miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://45.95.168.128:443/pixel

Attributes

access_type
512
beacon_type
2048
host
45.95.168.128,/pixel
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGc0rAQKMIiL70qqb75BvsKGFxd68PzkDGPAeplbyujNlAS07ATwD1bZc9M1o7ABGK3nmnTY8qYPyPooiR8lox5NgRhP9fUYSHcbiv9iGQ+qsNfhz/T1zRsw08uGDrBDLXkPjIwc8slP0i8TV6ez79J1pURyRBCsFNpsh7JZbOUQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM)
watermark
0

Extracted

Family

bitrat

Version

1.34

45.95.168.128:23202

Attributes

communication_password
ed99c23d77796aac877ce1f91481dc28
install_dir
tst
install_file
tst.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/5036-183-0x00007FF68FDF0000-0x00007FF6904FA000-memory.dmp	xmrig
behavioral1/memory/4484-186-0x00007FF71B020000-0x00007FF71B72A000-memory.dmp	xmrig
behavioral1/memory/4868-188-0x00007FF71B020000-0x00007FF71B72A000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 17 IoCs

Processes:

ChromeRecovery.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe2.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeao.exeaq.exebamb.exebb.exebeacon.exebit.exedaco.exeiepv.exe

pid	process
1176	ChromeRecovery.exe
5108	software_reporter_tool.exe
1984	software_reporter_tool.exe
4896	software_reporter_tool.exe
3732	software_reporter_tool.exe
1784	2.exe
5036	GoogleUpdate.exe
4484	GoogleUpdate.exe
4868	GoogleUpdate.exe
2984	ao.exe
1564	aq.exe
4912	bamb.exe
1836	bb.exe
2216	beacon.exe
4156	bit.exe
2044	daco.exe
4708	iepv.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4156-261-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4156-265-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 7 IoCs

Processes:

software_reporter_tool.exe

pid	process
4896	software_reporter_tool.exe
4896	software_reporter_tool.exe
4896	software_reporter_tool.exe
4896	software_reporter_tool.exe
4896	software_reporter_tool.exe
4896	software_reporter_tool.exe
4896	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bit.exeexplorer.exesvchost.exesvchost.exeexplorer.exesvchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tst = "C:\\Users\\Admin\\AppData\\Local\\tst\\tst.exeЀ"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\Oracle\\java.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\Oracle\\java.ee"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tst = "C:\\Users\\Admin\\AppData\\Local\\tst\\tst.exe瘀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tst = "C:\\Users\\Admin\\AppData\\Local\\tst\\tst.exeĀ"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tst = "C:\\Users\\Admin\\AppData\\Local\\tst\\tst.exe倀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tst = "C:\\Users\\Admin\\AppData\\Local\\tst\\tst.exe\ue000"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tst = "C:\\Users\\Admin\\AppData\\Local\\tst\\tst.exeȀ"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tst = "C:\\Users\\Admin\\AppData\\Local\\tst\\tst.exe䜀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tst = "C:\\Users\\Admin\\AppData\\Local\\tst\\tst.exe"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tst = "C:\\Users\\Admin\\AppData\\Local\\tst\\tst.exe\u0b00"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tst = "C:\\Users\\Admin\\AppData\\Local\\tst\\tst.exe\u0a00"	bit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\Oracle\\java.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\Oracle\\java.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tst = "C:\\Users\\Admin\\AppData\\Local\\tst\\tst.exe舀"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tst = "C:\\Users\\Admin\\AppData\\Local\\tst\\tst.exeሀ"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tst = "C:\\Users\\Admin\\AppData\\Local\\tst\\tst.exeက"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\Oracle\\java.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\Oracle\\java.ee"	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

bit.exe

pid process

4156 bit.exe
4156 bit.exe
4156 bit.exe
4156 bit.exe

pid	process
4156	bit.exe
4156	bit.exe
4156	bit.exe
4156	bit.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

aq.exebamb.exebb.exe

description	pid	process	target process
PID 1564 set thread context of 364	1564	aq.exe	svchost.exe
PID 1564 set thread context of 1912	1564	aq.exe	explorer.exe
PID 4912 set thread context of 2028	4912	bamb.exe	svchost.exe
PID 4912 set thread context of 3848	4912	bamb.exe	explorer.exe
PID 1836 set thread context of 1176	1836	bb.exe	svchost.exe
PID 1836 set thread context of 4720	1836	bb.exe	explorer.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3984_1129635469\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3984_1129635469\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3984_1129635469\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3984_1129635469\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3984_1129635469\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3984_1129635469\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3984_1129635469\_metadata\verified_contents.json	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 3 IoCs

Processes:

chrome.exechrome.exe2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2386679933-1492765628-3466841596-1000\{6343F45B-4908-4487-B80B-8EC4218EA96A}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	2.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3632 NOTEPAD.EXE

pid	process
3632	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesoftware_reporter_tool.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeaq.exesvchost.exeexplorer.exechrome.exechrome.exechrome.exechrome.exebamb.exesvchost.exe

pid	process
344	chrome.exe
344	chrome.exe
1800	chrome.exe
1800	chrome.exe
4068	chrome.exe
4068	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
3120	chrome.exe
3120	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3564	chrome.exe
3564	chrome.exe
4992	chrome.exe
4992	chrome.exe
5108	software_reporter_tool.exe
5108	software_reporter_tool.exe
2128	chrome.exe
2128	chrome.exe
3984	chrome.exe
3984	chrome.exe
4380	chrome.exe
4380	chrome.exe
3600	chrome.exe
3600	chrome.exe
4904	chrome.exe
4904	chrome.exe
4044	chrome.exe
4044	chrome.exe
3984	chrome.exe
3984	chrome.exe
5092	chrome.exe
5092	chrome.exe
1564	aq.exe
1564	aq.exe
1564	aq.exe
1564	aq.exe
364	svchost.exe
364	svchost.exe
364	svchost.exe
364	svchost.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
5040	chrome.exe
5040	chrome.exe
1264	chrome.exe
1264	chrome.exe
3688	chrome.exe
3688	chrome.exe
1964	chrome.exe
1964	chrome.exe
4912	bamb.exe
4912	bamb.exe
4912	bamb.exe
4912	bamb.exe
2028	svchost.exe
2028	svchost.exe
2028	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iepv.exe

pid process

4708 iepv.exe

pid	process
4708	iepv.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid	process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe7zG.exeaq.exesvchost.exeexplorer.exebamb.exesvchost.exeexplorer.exebb.exesvchost.exeexplorer.exebit.exeiepv.exe

description	pid	process
Token: 33	1984	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1984	software_reporter_tool.exe
Token: 33	5108	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5108	software_reporter_tool.exe
Token: 33	4896	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4896	software_reporter_tool.exe
Token: 33	3732	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	3732	software_reporter_tool.exe
Token: SeRestorePrivilege	5096	7zG.exe
Token: 35	5096	7zG.exe
Token: SeSecurityPrivilege	5096	7zG.exe
Token: SeSecurityPrivilege	5096	7zG.exe
Token: SeDebugPrivilege	1564	aq.exe
Token: SeDebugPrivilege	364	svchost.exe
Token: SeDebugPrivilege	1912	explorer.exe
Token: SeDebugPrivilege	4912	bamb.exe
Token: SeDebugPrivilege	2028	svchost.exe
Token: SeDebugPrivilege	3848	explorer.exe
Token: SeDebugPrivilege	1836	bb.exe
Token: SeDebugPrivilege	1176	svchost.exe
Token: SeDebugPrivilege	4720	explorer.exe
Token: SeShutdownPrivilege	4156	bit.exe
Token: SeDebugPrivilege	4708	iepv.exe
Token: SeRestorePrivilege	4708	iepv.exe
Token: SeBackupPrivilege	4708	iepv.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bit.exe

pid process

4156 bit.exe
4156 bit.exe

pid	process
4156	bit.exe
4156	bit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1800 wrote to memory of 3844	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 3844	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 2544	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 344	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 344	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe
PID 1800 wrote to memory of 4020	1800	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://45.95.169.45:23205/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99fae4f50,0x7ff99fae4f60,0x7ff99fae4f70
2⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
2⤵
PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:8
2⤵
PID:4020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
2⤵
PID:1708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4372 /prefetch:8
2⤵
PID:2588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
2⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:3400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 /prefetch:8
2⤵
PID:944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4884 /prefetch:8
2⤵
PID:3276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
2⤵
PID:3192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:8
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3604 /prefetch:8
2⤵
PID:3584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4808 /prefetch:8
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4776 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1200 /prefetch:8
2⤵
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4980 /prefetch:8
2⤵
PID:488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3124 /prefetch:8
2⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1436 /prefetch:8
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3632 /prefetch:8
2⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=380 /prefetch:8
2⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4688 /prefetch:8
2⤵
PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4640 /prefetch:8
2⤵
PID:1180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=896 /prefetch:8
2⤵
PID:4636

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=iEBGC/rEgEGzvnZ+FR00eVBIg2mF90H6JuGrQs9Y --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x7ff623745960,0x7ff623745970,0x7ff623745980
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_5108_LFMZDVJFHPNVKVES" --sandboxed-process-id=2 --init-done-notifier=740 --sandbox-mojo-pipe-token=13073148018313519457 --mojo-platform-channel-handle=716 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4896

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_5108_LFMZDVJFHPNVKVES" --sandboxed-process-id=3 --init-done-notifier=984 --sandbox-mojo-pipe-token=17283013136287516659 --mojo-platform-channel-handle=980
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=916 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2784 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5488 /prefetch:8
2⤵
PID:2412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5380 /prefetch:8
2⤵
PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
2⤵
PID:1824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
2⤵
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6024 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6012 /prefetch:8
2⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4532 /prefetch:8
2⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 /prefetch:8
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5520 /prefetch:8
2⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3300 /prefetch:8
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1600 /prefetch:8
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4912 /prefetch:8
2⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5528 /prefetch:8
2⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5468 /prefetch:8
2⤵
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6048 /prefetch:8
2⤵
PID:4236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2796 /prefetch:8
2⤵
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3076 /prefetch:8
2⤵
PID:1356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4504 /prefetch:8
2⤵
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=916 /prefetch:8
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
PID:3660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3096 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2840 /prefetch:8
2⤵
PID:2588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4572 /prefetch:8
2⤵
PID:3668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4888 /prefetch:8
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3452 /prefetch:8
2⤵
PID:3028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5692 /prefetch:8
2⤵
PID:536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5624 /prefetch:8
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4664 /prefetch:8
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4788 /prefetch:8
2⤵
PID:2856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2780 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6248 /prefetch:8
2⤵
PID:2664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4540 /prefetch:8
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4572 /prefetch:8
2⤵
PID:3116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4936 /prefetch:8
2⤵
PID:1400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4668 /prefetch:8
2⤵
PID:2556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4504 /prefetch:8
2⤵
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4532 /prefetch:8
2⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6260 /prefetch:8
2⤵
PID:4064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3416 /prefetch:8
2⤵
PID:1120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6036 /prefetch:8
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5516 /prefetch:8
2⤵
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4516 /prefetch:8
2⤵
PID:4040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4612 /prefetch:8
2⤵
PID:3280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4720 /prefetch:8
2⤵
PID:1248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:8
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:8
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 /prefetch:8
2⤵
PID:2652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4956 /prefetch:8
2⤵
PID:3324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6204 /prefetch:8
2⤵
PID:2356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3136 /prefetch:8
2⤵
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:8
2⤵
PID:1556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4624 /prefetch:8
2⤵
PID:1532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6268 /prefetch:8
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
2⤵
PID:4780

C:\Users\Admin\Downloads\daco.exe
"C:\Users\Admin\Downloads\daco.exe"
2⤵
- Executes dropped EXE
PID:2044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5636 /prefetch:8
2⤵
PID:4236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5276 /prefetch:8
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 /prefetch:8
2⤵
PID:4124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6036 /prefetch:8
2⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,8421750963562587732,13629619512243820468,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5468 /prefetch:8
2⤵
PID:5020

C:\Users\Admin\Downloads\iepv.exe
"C:\Users\Admin\Downloads\iepv.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4340

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:3984

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3984_1129635469\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3984_1129635469\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={33472cbe-a712-4d40-a467-4f77fe866a6e} --system
2⤵
- Executes dropped EXE
PID:1176

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:392

C:\Users\Admin\Downloads\2.exe
"C:\Users\Admin\Downloads\2.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:1784

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs"
2⤵
- Checks computer location settings
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "
3⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\RarSFX0\GoogleUpdate.exe
googleupdate
4⤵
- Executes dropped EXE
PID:5036

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\2\" -spe -an -ai#7zMap17310:64:7zEvent3976
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\2\start.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\2\start.bat" "
1⤵
PID:3624

C:\Users\Admin\Downloads\2\GoogleUpdate.exe
googleupdate
2⤵
- Executes dropped EXE
PID:4484

C:\Users\Admin\Downloads\2\GoogleUpdate.exe
"C:\Users\Admin\Downloads\2\GoogleUpdate.exe"
1⤵
- Executes dropped EXE
PID:4868

C:\Users\Admin\Downloads\ao.exe
"C:\Users\Admin\Downloads\ao.exe"
1⤵
- Executes dropped EXE
PID:2984

C:\Users\Admin\Downloads\aq.exe
"C:\Users\Admin\Downloads\aq.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Users\Admin\Downloads\bamb.exe
"C:\Users\Admin\Downloads\bamb.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Users\Admin\Downloads\bb.exe
"C:\Users\Admin\Downloads\bb.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Users\Admin\Downloads\beacon.exe
"C:\Users\Admin\Downloads\beacon.exe"
1⤵
- Executes dropped EXE
PID:2216

C:\Users\Admin\Downloads\bit.exe
"C:\Users\Admin\Downloads\bit.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Network Service Scanning

T1046

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3984_1129635469\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\edls_64.dll
Filesize
449KB

MD5
79d7f318441c21d17739e43990697d1d

SHA1
9683265bf401d11313b768dfc4b3aeb10015d18c

SHA256
0ce49dc9f71360bf9dd21b8e3af4641834f85eed7d80a7de0940508437e68970

SHA512
67c7a7d3bbadeff21951809d2f843311328771ed46bc1ca14edba486263f56f86922668dd89d11b05a16130380b7543f7c9556d79503c505807407763e9d3595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\em000_64.dll
Filesize
37KB

MD5
f8b7cac6e9587baabf4045c34890c7ce

SHA1
61814262c6ee5ceaab2c0263c913cae52e203af7

SHA256
8b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30

SHA512
4f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\em001_64.dll
Filesize
378KB

MD5
7adcb76ec34d774d1435b477e8625c47

SHA1
ec4ba0ad028c45489608c6822f3cabb683a07064

SHA256
a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d

SHA512
c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\em002_64.dll
Filesize
2.3MB

MD5
b03b34bf2cd409714e8bb7e670b3315c

SHA1
ca59a059824a53fca8966c6ae00d4fd3b94265e2

SHA256
bb1733b7cb012f8b7d6cd0347283a549ffeab7beb4b3d0168e0d8c9cecdef8eb

SHA512
fb4218f55bfff09ae13392d0cce3518eaff1da9b9d42d59a21ee1bb9ba42b574923858a7c23ae4bfac61bd5f977ea3e520ad5f7a69454eb59bc34bcaa13cd737

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\em003_64.dll
Filesize
1.3MB

MD5
7f3e3ab3e7f714da01ec0f495982e8d4

SHA1
a6cdec146f2eb192460d3d3061baf4a7ead6ee22

SHA256
ebfeeac7733a77a1e32995d638d67d2e05eefdbb62782053d8354959e046d0fa

SHA512
493b6db2193cd91e95f0963b9ad898a2040c2abcf1b4a509e5a4d53980c95ec030b412e180c26a1bd504e4c839ef5b7e3b6f08878ec11cefa531157ef0f6368b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\em004_64.dll
Filesize
6.1MB

MD5
ee46beaa6c9244880e8a510d080b4416

SHA1
a83c3946a2f53f064e91d8b60d5f6c697a560062

SHA256
d4f17bd032ead2a73340e6c14e24a3fa901d0fbae78f49fe4d368a01b788b49c

SHA512
4e69dddd1215b1675bac788996019ef3cb22418fbba75c0c7935dafb2b1742bad79cc9ea6814b5f8d1663657a7987499a155cdf57733d1afae42b0e25d475c25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\em005_64.dll
Filesize
576KB

MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe
Filesize
14.4MB

MD5
2a91302bfe645cc3b7ed302fbb9c6940

SHA1
89234bccd1c8a511d59c60458754bc9488067039

SHA256
664f9ea097d1992b28aff370ab00e19f049d1e62cc2776e61b07bbe0c4364935

SHA512
0610a19401bf0b97a1b24c107b326d93a8e8e10072f3c42d203932dd6a5ead1d03b001a67d757e786e24016fca805fc2c8bf9ae3745b9f6f541b29cebd0db0d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe
Filesize
14.4MB

MD5
2a91302bfe645cc3b7ed302fbb9c6940

SHA1
89234bccd1c8a511d59c60458754bc9488067039

SHA256
664f9ea097d1992b28aff370ab00e19f049d1e62cc2776e61b07bbe0c4364935

SHA512
0610a19401bf0b97a1b24c107b326d93a8e8e10072f3c42d203932dd6a5ead1d03b001a67d757e786e24016fca805fc2c8bf9ae3745b9f6f541b29cebd0db0d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe
Filesize
14.4MB

MD5
2a91302bfe645cc3b7ed302fbb9c6940

SHA1
89234bccd1c8a511d59c60458754bc9488067039

SHA256
664f9ea097d1992b28aff370ab00e19f049d1e62cc2776e61b07bbe0c4364935

SHA512
0610a19401bf0b97a1b24c107b326d93a8e8e10072f3c42d203932dd6a5ead1d03b001a67d757e786e24016fca805fc2c8bf9ae3745b9f6f541b29cebd0db0d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe
Filesize
14.4MB

MD5
2a91302bfe645cc3b7ed302fbb9c6940

SHA1
89234bccd1c8a511d59c60458754bc9488067039

SHA256
664f9ea097d1992b28aff370ab00e19f049d1e62cc2776e61b07bbe0c4364935

SHA512
0610a19401bf0b97a1b24c107b326d93a8e8e10072f3c42d203932dd6a5ead1d03b001a67d757e786e24016fca805fc2c8bf9ae3745b9f6f541b29cebd0db0d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.log
Filesize
3KB

MD5
eea72ba96b86bb81a4aa190bf2d92c8e

SHA1
106799f6a9a073a38cb246a4ddff0494431c5cdd

SHA256
0f7c2a5ff5aaa5570d189748406e8a111924230ef43d804c0171ddc60e02be6e

SHA512
463307476cb81ba13ceeaa4880eaccd119eddeb9b695929869228a09d9f860b930f38c35e98eff1dd4f73fa07a255126268bd48f372280baa73c8db4d778007a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
Filesize
40B

MD5
fccfa9e70af3e9a9253deae1410ccf26

SHA1
3b9d40bcd110ce70ffeb54c4b53ea2d69fe677cd

SHA256
c6fc8c10655571335e01fea6fc5ec51782eff48c75935c34ceb3d89a0eee6bc2

SHA512
05a099f7cce1194b5bf563ef409df9fa36f25d38d63b3a48472656a5eb38ea67db116b76d9b0ca8a9925cb79f11af9418fd1a3f2c98401fe633e1cdad5207190

Download Submit
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.dat
Filesize
40B

MD5
fccfa9e70af3e9a9253deae1410ccf26

SHA1
3b9d40bcd110ce70ffeb54c4b53ea2d69fe677cd

SHA256
c6fc8c10655571335e01fea6fc5ec51782eff48c75935c34ceb3d89a0eee6bc2

SHA512
05a099f7cce1194b5bf563ef409df9fa36f25d38d63b3a48472656a5eb38ea67db116b76d9b0ca8a9925cb79f11af9418fd1a3f2c98401fe633e1cdad5207190

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\em000_64.dll
Filesize
37KB

MD5
f8b7cac6e9587baabf4045c34890c7ce

SHA1
61814262c6ee5ceaab2c0263c913cae52e203af7

SHA256
8b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30

SHA512
4f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\em001_64.dll
Filesize
378KB

MD5
7adcb76ec34d774d1435b477e8625c47

SHA1
ec4ba0ad028c45489608c6822f3cabb683a07064

SHA256
a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d

SHA512
c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\em002_64.dll
Filesize
2.3MB

MD5
b03b34bf2cd409714e8bb7e670b3315c

SHA1
ca59a059824a53fca8966c6ae00d4fd3b94265e2

SHA256
bb1733b7cb012f8b7d6cd0347283a549ffeab7beb4b3d0168e0d8c9cecdef8eb

SHA512
fb4218f55bfff09ae13392d0cce3518eaff1da9b9d42d59a21ee1bb9ba42b574923858a7c23ae4bfac61bd5f977ea3e520ad5f7a69454eb59bc34bcaa13cd737

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\em003_64.dll
Filesize
1.3MB

MD5
7f3e3ab3e7f714da01ec0f495982e8d4

SHA1
a6cdec146f2eb192460d3d3061baf4a7ead6ee22

SHA256
ebfeeac7733a77a1e32995d638d67d2e05eefdbb62782053d8354959e046d0fa

SHA512
493b6db2193cd91e95f0963b9ad898a2040c2abcf1b4a509e5a4d53980c95ec030b412e180c26a1bd504e4c839ef5b7e3b6f08878ec11cefa531157ef0f6368b

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\em004_64.dll
Filesize
6.1MB

MD5
ee46beaa6c9244880e8a510d080b4416

SHA1
a83c3946a2f53f064e91d8b60d5f6c697a560062

SHA256
d4f17bd032ead2a73340e6c14e24a3fa901d0fbae78f49fe4d368a01b788b49c

SHA512
4e69dddd1215b1675bac788996019ef3cb22418fbba75c0c7935dafb2b1742bad79cc9ea6814b5f8d1663657a7987499a155cdf57733d1afae42b0e25d475c25

Download Submit
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\em005_64.dll
Filesize
576KB

MD5
169a2ef320119891cf3189aa3fd23b0e

SHA1
de51c936101ef79bbc0f1d3c800cf832d221eef8

SHA256
1072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780

SHA512
7fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca

Download Submit
\??\pipe\crashpad_1800_YOIKJPQCKBVTDNVR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_5108_LFMZDVJFHPNVKVES
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/364-190-0x0000014C43670000-0x0000014C436B1000-memory.dmp

Filesize
260KB

Download
memory/364-194-0x0000014C451A0000-0x0000014C45240000-memory.dmp

Filesize
640KB

Download
memory/364-193-0x0000014C43670000-mapping.dmp

Download
memory/364-191-0x0000014C436C0000-0x0000014C436C2000-memory.dmp

Filesize
8KB

Download
memory/1176-238-0x0000023595F10000-mapping.dmp

Download
memory/1176-239-0x0000023597A70000-0x0000023597AC0000-memory.dmp

Filesize
320KB

Download
memory/1176-135-0x0000000000000000-mapping.dmp

Download
memory/1176-235-0x0000023595F10000-0x0000023595F51000-memory.dmp

Filesize
260KB

Download
memory/1912-205-0x0000000000C00000-mapping.dmp

Download
memory/1912-206-0x00000000027C0000-0x0000000002860000-memory.dmp

Filesize
640KB

Download
memory/1984-139-0x0000000000000000-mapping.dmp

Download
memory/2028-218-0x00000262359A0000-0x00000262359F0000-memory.dmp

Filesize
320KB

Download
memory/2028-214-0x0000026233E40000-0x0000026233E81000-memory.dmp

Filesize
260KB

Download
memory/2028-217-0x0000026233E40000-mapping.dmp

Download
memory/2044-336-0x0000000000000000-mapping.dmp

Download
memory/2216-259-0x0000000000150000-0x0000000000191000-memory.dmp

Filesize
260KB

Download
memory/2216-260-0x00000000001A0000-0x00000000001EE000-memory.dmp

Filesize
312KB

Download
memory/2984-189-0x0000000140000000-0x0000000140004388-memory.dmp

Filesize
16KB

Download
memory/3068-180-0x0000000000000000-mapping.dmp

Download
memory/3732-159-0x0000000000000000-mapping.dmp

Download
memory/3848-229-0x0000000000CC0000-mapping.dmp

Download
memory/3848-230-0x0000000001060000-0x00000000010B0000-memory.dmp

Filesize
320KB

Download
memory/4156-286-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-288-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-304-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-303-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-302-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-301-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-300-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-299-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-298-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-297-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-296-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-295-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-294-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-293-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-292-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-291-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-290-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-289-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-287-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-285-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-284-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-283-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-282-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-281-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-280-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-261-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4156-262-0x0000000074340000-0x0000000074379000-memory.dmp

Filesize
228KB

Download
memory/4156-263-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-264-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-265-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4156-266-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-267-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-268-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-269-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-270-0x0000000074340000-0x0000000074379000-memory.dmp

Filesize
228KB

Download
memory/4156-271-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-272-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-273-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-274-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-275-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-276-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-277-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-278-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4156-279-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/4484-184-0x0000000000000000-mapping.dmp

Download
memory/4484-186-0x00007FF71B020000-0x00007FF71B72A000-memory.dmp

Filesize
7.0MB

Download
memory/4592-179-0x0000000000000000-mapping.dmp

Download
memory/4708-339-0x0000000000000000-mapping.dmp

Download
memory/4720-251-0x0000000001180000-0x00000000011D0000-memory.dmp

Filesize
320KB

Download
memory/4720-250-0x0000000000E00000-mapping.dmp

Download
memory/4868-188-0x00007FF71B020000-0x00007FF71B72A000-memory.dmp

Filesize
7.0MB

Download
memory/4896-176-0x0000020CA4570000-0x0000020CA45B0000-memory.dmp

Filesize
256KB

Download
memory/4896-164-0x0000020CA4570000-0x0000020CA45B0000-memory.dmp

Filesize
256KB

Download
memory/4896-173-0x0000020CA4570000-0x0000020CA45B0000-memory.dmp

Filesize
256KB

Download
memory/4896-174-0x0000020CA45B0000-0x0000020CA45F0000-memory.dmp

Filesize
256KB

Download
memory/4896-175-0x0000020CA4420000-0x0000020CA4460000-memory.dmp

Filesize
256KB

Download
memory/4896-170-0x0000020CA4570000-0x0000020CA45B0000-memory.dmp

Filesize
256KB

Download
memory/4896-177-0x0000020CA50A0000-0x0000020CA50E0000-memory.dmp

Filesize
256KB

Download
memory/4896-178-0x0000020CA4570000-0x0000020CA45B0000-memory.dmp

Filesize
256KB

Download
memory/4896-142-0x0000000000000000-mapping.dmp

Download
memory/4896-171-0x0000020CA4420000-0x0000020CA4460000-memory.dmp

Filesize
256KB

Download
memory/4896-165-0x0000020CA4570000-0x0000020CA45B0000-memory.dmp

Filesize
256KB

Download
memory/4896-166-0x0000020CA4570000-0x0000020CA45B0000-memory.dmp

Filesize
256KB

Download
memory/4896-167-0x0000020CA4570000-0x0000020CA45B0000-memory.dmp

Filesize
256KB

Download
memory/4896-169-0x0000020CA45B0000-0x0000020CA45F0000-memory.dmp

Filesize
256KB

Download
memory/4896-168-0x0000020CA4570000-0x0000020CA45B0000-memory.dmp

Filesize
256KB

Download
memory/4896-172-0x0000020CA50B0000-0x0000020CA50F0000-memory.dmp

Filesize
256KB

Download
memory/5036-183-0x00007FF68FDF0000-0x00007FF6904FA000-memory.dmp

Filesize
7.0MB

Download
memory/5036-181-0x0000000000000000-mapping.dmp

Download
memory/5036-182-0x0000025763B00000-0x0000025763B20000-memory.dmp

Filesize
128KB

Download
memory/5108-137-0x0000000000000000-mapping.dmp

Download