hxxps://firebasestorage[.]googleapis[.]com/v0/b/paymen22-8271b[.]appspot[.]com/o/secure-post[.]htm?alt=media&token=7fe3c374-e2fa-4098-ad4b-8cffa25ec467#gomez[.]nora@draexlmaier[.]de

General

Target

https://firebasestorage.googleapis.com/v0/b/paymen22-8271b.appspot.com/o/secure-post.htm?alt=media&token=7fe3c374-e2fa-4098-ad4b-8cffa25ec467#gomez.nora@draexlmaier.de
Sample

211025-rng1qahbcr

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 676 created 5016 676 WerFault.exe SystemSettings.exe

description	pid	process	target process
PID 676 created 5016	676	WerFault.exe	SystemSettings.exe

Drops file in Windows directory 5 IoCs

Processes:

SystemSettings.exeSystemSettings.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\3060194815\335381474.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\3060194815\335381474.pri	SystemSettings.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

676 5016 WerFault.exe SystemSettings.exe

pid	pid_target	process	target process
676	5016	WerFault.exe	SystemSettings.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SystemSettings.exeSystemSettings.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	SystemSettings.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 2 IoCs

Processes:

SystemSettings.exeSystemSettings.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	SystemSettings.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	SystemSettings.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

chrome.exechrome.exechrome.exeWerFault.exechrome.exechrome.exe

pid	process
3436	chrome.exe
3436	chrome.exe
4384	chrome.exe
4384	chrome.exe
1212	chrome.exe
1212	chrome.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
1384	chrome.exe
1384	chrome.exe
1708	chrome.exe
1708	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

4384 chrome.exe
4384 chrome.exe
4384 chrome.exe
4384 chrome.exe
4384 chrome.exe
4384 chrome.exe
4384 chrome.exe
4384 chrome.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

SystemSettings.exeSystemSettings.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	2848	SystemSettings.exe
Token: SeCreatePagefilePrivilege	2848	SystemSettings.exe
Token: SeShutdownPrivilege	2848	SystemSettings.exe
Token: SeCreatePagefilePrivilege	2848	SystemSettings.exe
Token: SeShutdownPrivilege	5016	SystemSettings.exe
Token: SeCreatePagefilePrivilege	5016	SystemSettings.exe
Token: SeShutdownPrivilege	5016	SystemSettings.exe
Token: SeCreatePagefilePrivilege	5016	SystemSettings.exe
Token: SeDebugPrivilege	676	WerFault.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

chrome.exe

pid	process
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

chrome.exeSystemSettings.exeSystemSettings.exe

pid	process
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
2848	SystemSettings.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
5016	SystemSettings.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4384 wrote to memory of 4388	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4388	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3468	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3436	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 3436	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe
PID 4384 wrote to memory of 4460	4384	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://firebasestorage.googleapis.com/v0/b/paymen22-8271b.appspot.com/o/secure-post.htm?alt=media&token=7fe3c374-e2fa-4098-ad4b-8cffa25ec467#gomez.nora@draexlmaier.de
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffc1a284f50,0x7ffc1a284f60,0x7ffc1a284f70
2⤵
PID:4388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1544 /prefetch:2
2⤵
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1748 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2336 /prefetch:8
2⤵
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:1
2⤵
PID:4520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:1
2⤵
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:8
2⤵
PID:1860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
2⤵
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
2⤵
PID:3232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8
2⤵
PID:800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:8
2⤵
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5692 /prefetch:8
2⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8
2⤵
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4916 /prefetch:8
2⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4836 /prefetch:8
2⤵
PID:1908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5808 /prefetch:8
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:8
2⤵
PID:2344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
2⤵
PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
2⤵
PID:3372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
2⤵
PID:4196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
2⤵
PID:4080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,10114021567679124835,16571578848021055652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1708

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5016 -s 3056
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
PID:2220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\3060194815\335381474.pri
MD5
8c351c24a7c2efc552747667f284bfaf

SHA1
e652c65845f72bfa219c0637eb40514b5cc4d3fb

SHA256
6f0565f7e34f376ed12a61be071a04144263fc12c2aa04a398fa8e2ed1e7ecce

SHA512
e1f81c1051fa941321e6352950b7bdea2a6dba26ec06c9420ff6d1a4ff38778754eeebd024b8c770088735badb0ab13c522b9601129b03b2612fb5e2b2f35cbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f18460fded109990.customDestinations-ms
MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
\??\pipe\crashpad_4384_RXOPEYVXMXRCQNAH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads