hxxp://www[.]8081603340[.]rosebayboats[.]com/negwtod/a2NoZXNudXRAZ2ZsZXNjaC5jb20=

Resubmissions

09-11-2021 15:40

211109-s4h4dsfec4 8

09-11-2021 15:36

211109-s2d2nacegm 8

Analysis

max time kernel
91s
max time network
92s
platform
windows10_x64
resource
win10-en-20211104
submitted
09-11-2021 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.8081603340.rosebayboats.com/negwtod/a2NoZXNudXRAZ2ZsZXNjaC5jb20=

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

Processes:

iexplore.exe

description ioc process

File opened for modification C:\Program Files\Internet Explorer\Images\bing.ico iexplore.exe

description	ioc	process
File opened for modification	C:\Program Files\Internet Explorer\Images\bing.ico	iexplore.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6C164902-400F-11EC-B34F-FEE0DE99BB17} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1107531164"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://kolinperry.com/shilonnpat/a2NoZXNudXRAZ2ZsZXNjaC5jb20="	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30921756"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30921756"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30921756"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1097062351"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = fd832f381cd4d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1097062351"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
512	chrome.exe
512	chrome.exe
3024	chrome.exe
3024	chrome.exe
1644	chrome.exe
1644	chrome.exe
3528	chrome.exe
3528	chrome.exe
5052	chrome.exe
5052	chrome.exe
4304	chrome.exe
4304	chrome.exe
2692	chrome.exe
2692	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

3024 chrome.exe
3024 chrome.exe
3024 chrome.exe
3024 chrome.exe
3024 chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exeiexplore.exe

pid	process
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
2032	iexplore.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2032 iexplore.exe
2032 iexplore.exe
824 IEXPLORE.EXE
824 IEXPLORE.EXE
824 IEXPLORE.EXE
824 IEXPLORE.EXE

pid	process
2032	iexplore.exe
2032	iexplore.exe
824	IEXPLORE.EXE
824	IEXPLORE.EXE
824	IEXPLORE.EXE
824	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3024 wrote to memory of 4016	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4016	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 4384	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 512	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 512	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe
PID 3024 wrote to memory of 2284	3024	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.8081603340.rosebayboats.com/negwtod/a2NoZXNudXRAZ2ZsZXNjaC5jb20=
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9fe7a4f50,0x7ff9fe7a4f60,0x7ff9fe7a4f70
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1536 /prefetch:2
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4116 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4456 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4384 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3068 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1896 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,8262100382299927808,11209075935235054819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3608 /prefetch:8
  2⤵
  PID:4152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2032
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
1c3ed22c003b0e1724a802f750244f60

SHA1
c83f95230ea4d3ac58c4f5d5a7504b0f5eedf0ad

SHA256
f24de6edda835df45daadcce85ecfeaa1f5a363a16faeff1c16ae55ec57dcb6b

SHA512
7f9f0395307b63d4bda636b132533f5e62b36bfa78ff0850c5ba0a2ebe3f426b0a18232993a35bfe9166d9f86d2dfe2ad6429fc864265a0bdf6d4f1f25d26297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5
4ff09d007af9e6528ed1f7a6187a6dd5

SHA1
9d5f254cf2f47f1c6297846a9a1920e1d42eef1c

SHA256
e99b12a7afa7544d18fbb7838d07bea68d53e2b8483a561b02dc1e85f9820620

SHA512
50725b8be9c71c4683c4cf17df8c2e888dbd75c702eeff6822926b217c2692751d0105d0e9354015ac756349191412650614e4696b013023b0bf0cb31a33f70d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
b13817e205b1e3d18e2dbf166425c94e

SHA1
21816e75672e84778640be70a573fb4d2031b1c8

SHA256
71f11dd8eafd79b07c1c451047a0809e24b9c0c4d6a97ac22b56ad620f106968

SHA512
63ba8452e239cb848f15039c802dd6bf866c6ec93f00b9fbf13f25f78cb18cd14bf784d5ca2a9294b425bb319ccad29c5ff76642e92394c1283e7c4e7d735bcd

Download Submit
\??\pipe\crashpad_3024_OCUMGQWZEIYMNYCH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/824-144-0x0000000000000000-mapping.dmp

Download
memory/2032-148-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-153-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-127-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-128-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-129-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-131-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-132-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-133-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-135-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-137-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-138-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-139-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-141-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-140-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-142-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-125-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-145-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-146-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-124-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-149-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-151-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-126-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-154-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-155-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-159-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-160-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-161-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-167-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-169-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-168-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-170-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-171-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-172-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-173-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-175-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-176-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-182-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-183-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-123-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-121-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-120-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download
memory/2032-119-0x00007FF9ECF10000-0x00007FF9ECF7B000-memory.dmp

Filesize
428KB

Download