hxxps://docs[.]google[.]com/document/d/164DsnYYdf6vvCPIqWlDpz37lo24vfmuh/edit?usp=sharing_eip_m&rtpof=true&sd=true&ts=62802a6f&sh=55K97kraFDSfR8Bu&ca=1

Analysis

max time kernel
48s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
14-05-2022 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/document/d/164DsnYYdf6vvCPIqWlDpz37lo24vfmuh/edit?usp=sharing_eip_m&rtpof=true&sd=true&ts=62802a6f&sh=55K97kraFDSfR8Bu&ca=1

Score

5^/10

google phishing

Malware Config

Signatures

Detected potential entity reuse from brand google.
phishing google

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3897018057"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60398deaf267d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{130DFB38-D3E6-11EC-B274-E289ED121488} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\support.google.com\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30959602"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff0000000000200000000001066000000010000200000001925b65bf7c0aeb2681dd1ff95614cc77b24f262a214f5591cfd6fa955f7350e000000000e8000000002000020000000d9693846623f92e16d4c6bd7041266f45f6f405ded0ec3b6e87da076f5b75d18200000006b4aa7635a102d2d71ac66887dc117577d4e91638183e1440d13b6e6a5d1ae8b400000007c9982a8a731f99fdc3c363bcc9681abffb014cc40b1dfd3721083618038e35a3b1bb60ef48704dd4d949bc4cf2af670ddf13991e533aa53fb1f7f685dc5e1f4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80f1a5eaf267d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\support.google.com\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30959602"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DOMStorage\support.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3887399762"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30959602"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3887399762"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "32"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff00000000002000000000010660000000100002000000066f5660d5185e0205fed529ed06e6811e18f2bda77092098f5515084dcbdfe9c000000000e8000000002000020000000a3c01c3eeb30d720f66d597fa2a0a5c0d6793ffd52252c03e9d3bafc0e2464b92000000009f958475fa6a4632a0e3a5300070a79650cd98149c5fb805ee09372cb62888d40000000bd1b50b3b630f5dc8d363beb0d5767393842377bd82df41b1b7c2c1c52488bac36698a52592c523673610f11c273e140276050b7f584f693ddf76a48c1aa7a5f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exe

pid process

612 chrome.exe
612 chrome.exe
3116 chrome.exe
3116 chrome.exe
5716 chrome.exe
5716 chrome.exe
5952 chrome.exe
5952 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3116 chrome.exe
3116 chrome.exe
3116 chrome.exe
3116 chrome.exe

pid	process
612	chrome.exe
612	chrome.exe
3116	chrome.exe
3116	chrome.exe
5716	chrome.exe
5716	chrome.exe
5952	chrome.exe
5952	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

iexplore.exechrome.exe

pid	process
548	iexplore.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

548 iexplore.exe
548 iexplore.exe
4708 IEXPLORE.EXE
4708 IEXPLORE.EXE
4708 IEXPLORE.EXE
4708 IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 548 wrote to memory of 4708	548	iexplore.exe	IEXPLORE.EXE
PID 548 wrote to memory of 4708	548	iexplore.exe	IEXPLORE.EXE
PID 548 wrote to memory of 4708	548	iexplore.exe	IEXPLORE.EXE
PID 3116 wrote to memory of 1548	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1548	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 1324	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 612	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 612	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe
PID 3116 wrote to memory of 3516	3116	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://docs.google.com/document/d/164DsnYYdf6vvCPIqWlDpz37lo24vfmuh/edit?usp=sharing_eip_m&rtpof=true&sd=true&ts=62802a6f&sh=55K97kraFDSfR8Bu&ca=1
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:548 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec8594f50,0x7ffec8594f60,0x7ffec8594f70
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1684 /prefetch:2
2⤵
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1808 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2336 /prefetch:8
2⤵
PID:3516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:1
2⤵
PID:5148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
2⤵
PID:5164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
2⤵
PID:5268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:8
2⤵
PID:5352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:8
2⤵
PID:5360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4632 /prefetch:8
2⤵
PID:5416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4964 /prefetch:8
2⤵
PID:5708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5128 /prefetch:8
2⤵
PID:5784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5360 /prefetch:8
2⤵
PID:5816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5004 /prefetch:8
2⤵
PID:5848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
2⤵
PID:5884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,13510876196036477203,5065633213014350161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
6066476921782a0e0f307c545a1553bd

SHA1
18e136bd49c2d805e6eb14e8e0ffe9d77cdd20ef

SHA256
e42fd9363b0234f5f476d0f581d96641b1b2258a0f53c21bbead31affda4e793

SHA512
75bb81f45ad5f6b7c7fc621e4d1bc7e30209596fefbfde073c346f0d6f36a90f953a5c08420e2455d29c4608293ce6358429fd70fbb817aaf099502ca6923e6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_3709B4E5622995C733EE4530EB94C879
Filesize
471B

MD5
37adc5daae60013a9a2b1c3f01320e11

SHA1
6ef79094670184b96a4431284e31dfccdad6efeb

SHA256
ce183e7f9541e38525a96d08f559bdc1ac899bbbb8f839d0c9f3529176be948d

SHA512
bd216663ac391b8ab04faf4ae76b69204b8c2e8578485e9fbb641982cb5e74016a12eb5366b7553226e2000ec2879eed236223ab06b56e80c2fef0b103398c72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_7746FAB18C29599D804E41025F6946C8
Filesize
472B

MD5
85305c631b6ae82c1a36d8180c00075e

SHA1
1215defeb5eddb2431260ca79d3fed7c8ffd2899

SHA256
128512cebb302486f3d3411e0df8fbd54e4120c5e4679abe1ed35e7b44e4bc89

SHA512
59bc33472314ebc68236fb0c63980de0a8faefbc30b0e2c2e4c190e0caf3f89c6b6dc938e276970cd5b943b6ee52b57df35b0f6af28e36b7f82c19eb94cb548f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_1F4146032E858CF90AA118759612A65F
Filesize
472B

MD5
cee669ce44b446b341ad615e004efeb4

SHA1
d1fe9ccbc7334ea36ef0825052a3b53e7b852ce4

SHA256
9d8175184ce22be5957c382441c0ac7d39f79ea2e84d248949651b74b3fbb29a

SHA512
97fb3ffc2a02a99a20d93ddd09017307329b32228c2dc397fa8bf23e5c8d88d2fde53816da2febb1c47610c528151fa370fe84263f8284e8706f44a118b73139

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
9ac743436e2e72a1830fd23174ca6bae

SHA1
074a56a41726ab41dcf8a27dd059ebc093a17012

SHA256
650d21631e32e5cefa34bbe1c83eaa150a61794bf54c29630349484b9209694a

SHA512
7b02e7c9c319c58cea71bb18e955a3a83deb182943fb4d821a1caf168f2e163dbce3f4daf5fabd97bae7f824792f606349bb37cb1c94b21865e02f7a87834cf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_3709B4E5622995C733EE4530EB94C879
Filesize
406B

MD5
441afae52d70b4c76b84aa3501797659

SHA1
a9f5b0af2411f3ca86189e1e8f516a226cae23d3

SHA256
ac3902512c9d3fcb3f03eb298f2f76e8ddeb709407b9aaf14377041c67499352

SHA512
f2c4fd6e2a6812fe1e5c5c4a324a1d00de19d7b6a313cba1729cd21f02bb0f4ce9edef565bba00af7d74670f6baf3678305773a5dcbac75753f75f7fd299455d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_7746FAB18C29599D804E41025F6946C8
Filesize
410B

MD5
29e469503e980cacf7f14b537ed212c7

SHA1
0e530e3162f15d654dda2cd79c0c33330712da0e

SHA256
931a313d015a70bfce3c6d26679a3b4158959acd216d5835ca62a5999611dc56

SHA512
35c1b35fa4e14638555a8dfa3395892e3a7390744fccb63a7c9ffd653b9f2f6fe72a570598b0a1a5a6732619f35056db42272e3a11dde4f887090162489f451d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
10e14b0da393a049c54cf1a90eaf1f82

SHA1
1ddafd064a2a8d53dff0fbf7bf8a6e6bef74f9e7

SHA256
be8b464b738dd58cecc8d42a4b737800ecd0427650f2d127f4ef8668063c2c9e

SHA512
1021bf87924b1c47ddb2b7abba5f6c0b659cdcbac2be5f7e57de6d272e1127a537b54ef75467e784948a4c16b776264221a6c977c81df672fba304524e92d782

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_1F4146032E858CF90AA118759612A65F
Filesize
402B

MD5
318982e7b052b39fcd50ddd3019ba271

SHA1
56753d34c8cabb32d16ffa179feddec9e6b9a794

SHA256
15f0a4422c4edc1213e3430951f8c6707e8d23aae733ec8ab458a45e635bbfbc

SHA512
823216f2f354791b0defe48e80bdb1ac508419845aafb3c37c8f7dad4a54140b60d4b063f66cb2d7aec786d5faf7e825ca8011f4e4de00e4f6c64ace94092637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1dmutkj\imagestore.dat
Filesize
5KB

MD5
7aa8cb1a00206e95d54ea6369bac1c32

SHA1
26de65bef739ecee67d4a3f6b8e06b434c0153a0

SHA256
60812c875b82d94b4f49393f6f8fb1438d691013b5fe645c54d6bf28e240b02a

SHA512
c0d410cecfae38ca8147f6afc384eb3032852415d1b938135b3396e0490679c39a85171c3a2632f8cea2576c687ea79734a3ad1a73e94a58d15ee62a379a3a24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D4ZD1ZBQ\favicon[1].ico
Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
\??\pipe\crashpad_3116_AWUIHALKIABIKDRK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

pid	process
548	iexplore.exe
548	iexplore.exe
4708	IEXPLORE.EXE
4708	IEXPLORE.EXE
4708	IEXPLORE.EXE
4708	IEXPLORE.EXE