hxxp://x1[.]c[.]lencr[.]org/

General

Target

http://x1.c.lencr.org/
Sample

210722-pv7hvt1zla

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 6ead5207ab2cd701	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008631adb10c0d2c41a8a1b842f6bc6b8b000000000200000000001066000000010000200000003ee099957174481fae4cccf956dd4069c581f376878a46982f4c3421b20b80e6000000000e800000000200002000000040684abd5f64d6526c26b04082b0de835e54fab3fa2b545ceb973ed0301b079c2000000001c2c4f843d04b3026ddf5bfd0dc723d19821305f11ef21f11dcb28de50f152840000000556b7e852e73858d49cacfca3fc1a674675624d8bc73b8e2052d7899ae28139cec5cf2220a01e78a15eea6983c523644969077425171a6d23b9698013eeb4d26	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008631adb10c0d2c41a8a1b842f6bc6b8b0000000002000000000010660000000100002000000015a094a35addfb1cdd4a0dfaa82517e47788639c936c5dde838df878c5c180bb000000000e8000000002000020000000b2f3d668940ddf04015e9a357fa2c84ac9373af7a5957ed4883b7adf8fc9d81420000000648b266f697c8a7a49e3ba2d8ed8d896fe28808f261e2384ce24acd381a7fc174000000053ecb3212b011a31447f021a97faae0143f50ac5f25e586b7498ef34f45822f6aa5e936d639f8920c7a30684eb6e626831166886f987d7d65101d52b032fddde	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30899955"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30899955"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2300761686"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30899955"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B42D1955-EAE6-11EB-B2DB-EE0798CE3A7D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10cffc8cf37ed701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d5dd8cf37ed701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2300761686"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{FD997987-0EC7-461D-AFD4-2611F92D4417}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2337573929"	IEXPLORE.EXE

Modifies registry class 1 IoCs

Processes:

iexplore.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings iexplore.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1824 chrome.exe
1824 chrome.exe
2344 chrome.exe
2344 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

1548 rundll32.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exechrome.exe

pid process

740 iexplore.exe
740 iexplore.exe
2344 chrome.exe
2344 chrome.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

740 iexplore.exe
740 iexplore.exe
4068 IEXPLORE.EXE
4068 IEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	iexplore.exe

pid	process
1824	chrome.exe
1824	chrome.exe
2344	chrome.exe
2344	chrome.exe

pid	process
1548	rundll32.exe

pid	process
740	iexplore.exe
740	iexplore.exe
2344	chrome.exe
2344	chrome.exe

pid	process
740	iexplore.exe
740	iexplore.exe
4068	IEXPLORE.EXE
4068	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exefirefox.exefirefox.exechrome.exe

description	pid	process	target process
PID 740 wrote to memory of 4068	740	iexplore.exe	IEXPLORE.EXE
PID 740 wrote to memory of 4068	740	iexplore.exe	IEXPLORE.EXE
PID 740 wrote to memory of 4068	740	iexplore.exe	IEXPLORE.EXE
PID 740 wrote to memory of 1548	740	iexplore.exe	rundll32.exe
PID 740 wrote to memory of 1548	740	iexplore.exe	rundll32.exe
PID 3876 wrote to memory of 2420	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2420	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2420	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2420	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2420	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2420	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2420	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2420	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2420	3876	firefox.exe	firefox.exe
PID 2948 wrote to memory of 2252	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 2252	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 2252	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 2252	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 2252	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 2252	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 2252	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 2252	2948	firefox.exe	firefox.exe
PID 2948 wrote to memory of 2252	2948	firefox.exe	firefox.exe
PID 2344 wrote to memory of 3300	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 3300	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 2244	2344	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://x1.c.lencr.org/
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:740 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4068

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCRL C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\S79S7GUK.crl
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:2420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.0.290074126\2029594931" -parentBuildID 20200403170909 -prefsHandle 1468 -prefMapHandle 1488 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 1596 gpu
3⤵
PID:4280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:2252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2252.0.1915584625\781570470" -parentBuildID 20200403170909 -prefsHandle 1400 -prefMapHandle 1360 -prefsLen 1 -prefMapSize 214080 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2252 "\\.\pipe\gecko-crash-server-pipe.2252" 1496 gpu
3⤵
PID:4492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ff9cb3c4f50,0x7ff9cb3c4f60,0x7ff9cb3c4f70
2⤵
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:2
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1672 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 /prefetch:8
2⤵
PID:1840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:1
2⤵
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2508 /prefetch:1
2⤵
PID:492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
2⤵
PID:2976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
2⤵
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
2⤵
PID:1184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
2⤵
PID:4124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:8
2⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
2⤵
PID:4780

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
2⤵
PID:5116

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff6a3f9a890,0x7ff6a3f9a8a0,0x7ff6a3f9a8b0
3⤵
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2128 /prefetch:8
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4444 /prefetch:8
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4456 /prefetch:8
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5676 /prefetch:8
2⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1048 /prefetch:8
2⤵
PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5584 /prefetch:8
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:8
2⤵
PID:4976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5092 /prefetch:8
2⤵
PID:1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5700 /prefetch:8
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3880 /prefetch:8
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6160 /prefetch:8
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5492 /prefetch:8
2⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5172 /prefetch:8
2⤵
PID:4720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5836 /prefetch:8
2⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5692 /prefetch:8
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5588 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6248 /prefetch:8
2⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3928 /prefetch:8
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3768 /prefetch:8
2⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4728 /prefetch:8
2⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3808 /prefetch:8
2⤵
PID:4024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4628 /prefetch:8
2⤵
PID:808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5684 /prefetch:8
2⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:8
2⤵
PID:4124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6296 /prefetch:8
2⤵
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,8038919257591657951,862485010956046540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6332 /prefetch:8
2⤵
PID:4328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
4b8ffe79016c051a1fa57e4ab8ee0e0b

SHA1
a06394b4c74aad7d296327a942729db01486ea26

SHA256
75e171759473658cd648f09d099b249f99a7cb139732201576b07c4554a9c4b9

SHA512
6a057cc6cc12715d6324e0cb8c22c3d1ff5a8bd20c5ecd10e64ae155a5a5936a972374fa8005d9cf195fdd44deeb24e54f27d3eba78aa0f3a82e03e272e39091

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
65914ec0c55a0364e5fb75816f3cc487

SHA1
dca7b4660aaf5aa363d4e956d312792639dd04d9

SHA256
ae1fb4d528ecba5ef3d7ade53435bac46da13f464dfdb5bbb2bd121b3c52afca

SHA512
1e2cfffaca3dd23600ffe70977e696c224ae5e679d82b81ebe321565163747dbd6c988d5cb274f5bfc1fdd80d292479889a767b0d815238f88e71697ccdaa5eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
15ffd6b625d93445595bb3e9c393fb02

SHA1
0c5cd5a939cf3de4d4b3244505513cd01becbd57

SHA256
adfa28ae15bc1c3f989005b6e2e23d411b7f83a23723dcfc872aa0557b707cf3

SHA512
852a344c461844f60936339e6c60c09b261caa8de4e678161a303831149afff6b41ca1930b897f79c8caabcca2e0dcd3b8dfb6dea018e98ad9fbf5988692615a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\S79S7GUK.crl.vf6d30m.partial
MD5
0675c0d0da9a6eac284a10c2ddda636a

SHA1
6c7856ef6be6b6fce283423cf9d48e7d101d7fa7

SHA256
7852903b2b3bd59c816aa0a74272a4c51bae13f38bb72a67f3fd04b50d061b50

SHA512
09a3f652bd943a7cc3def436c9fe769bf5c30499b78d63598fc2fc23fa15932a08d545354129fc346133efbda456edfe8d4a10bab5a50abe7d132c2228815232

Download Submit
\??\pipe\crashpad_2344_GIUNGWJIZHNXZURT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/492-241-0x0000000000000000-mapping.dmp

Download
memory/740-114-0x00007FF9CC990000-0x00007FF9CC9FB000-memory.dmp

Filesize
428KB

Download
memory/808-721-0x0000000000000000-mapping.dmp

Download
memory/1012-618-0x0000000000000000-mapping.dmp

Download
memory/1184-261-0x0000000000000000-mapping.dmp

Download
memory/1548-117-0x0000000000000000-mapping.dmp

Download
memory/1824-223-0x0000000000000000-mapping.dmp

Download
memory/1840-228-0x0000000000000000-mapping.dmp

Download
memory/2244-221-0x0000000000000000-mapping.dmp

Download
memory/2244-224-0x00007FF9D70D0000-0x00007FF9D70D1000-memory.dmp

Filesize
4KB

Download
memory/2252-198-0x0000000000000000-mapping.dmp

Download
memory/2420-120-0x0000000000000000-mapping.dmp

Download
memory/2508-233-0x0000000000000000-mapping.dmp

Download
memory/2924-656-0x0000000000000000-mapping.dmp

Download
memory/2976-250-0x0000000000000000-mapping.dmp

Download
memory/3300-212-0x0000000000000000-mapping.dmp

Download
memory/3540-542-0x0000000000000000-mapping.dmp

Download
memory/3932-255-0x0000000000000000-mapping.dmp

Download
memory/4024-715-0x0000000000000000-mapping.dmp

Download
memory/4068-115-0x0000000000000000-mapping.dmp

Download
memory/4124-268-0x0000000000000000-mapping.dmp

Download
memory/4124-734-0x0000000000000000-mapping.dmp

Download
memory/4168-684-0x0000000000000000-mapping.dmp

Download
memory/4172-649-0x0000000000000000-mapping.dmp

Download
memory/4184-603-0x0000000000000000-mapping.dmp

Download
memory/4268-703-0x0000000000000000-mapping.dmp

Download
memory/4280-620-0x0000000000000000-mapping.dmp

Download
memory/4304-595-0x0000000000000000-mapping.dmp

Download
memory/4356-708-0x0000000000000000-mapping.dmp

Download
memory/4364-727-0x0000000000000000-mapping.dmp

Download
memory/4392-692-0x0000000000000000-mapping.dmp

Download
memory/4408-624-0x0000000000000000-mapping.dmp

Download
memory/4492-425-0x0000000000000000-mapping.dmp

Download
memory/4540-661-0x0000000000000000-mapping.dmp

Download
memory/4592-577-0x0000000000000000-mapping.dmp

Download
memory/4684-323-0x0000000000000000-mapping.dmp

Download
memory/4720-670-0x0000000000000000-mapping.dmp

Download
memory/4744-677-0x0000000000000000-mapping.dmp

Download
memory/4772-581-0x0000000000000000-mapping.dmp

Download
memory/4780-333-0x0000000000000000-mapping.dmp

Download
memory/4788-590-0x0000000000000000-mapping.dmp

Download
memory/4928-609-0x0000000000000000-mapping.dmp

Download
memory/4976-613-0x0000000000000000-mapping.dmp

Download
memory/5012-698-0x0000000000000000-mapping.dmp

Download
memory/5056-637-0x0000000000000000-mapping.dmp

Download
memory/5068-627-0x0000000000000000-mapping.dmp

Download
memory/5100-641-0x0000000000000000-mapping.dmp

Download
memory/5116-533-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads