91573e2aad89c56aafd30ee2dd1155ef1e2b38a2d2856a3201e1f600e6685217

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91573e2aad89c56aafd30ee2dd1155ef1e2b38a2d2856a3201e1f600e6685217.pdf
Size

38KB
MD5

e9f991cbda73482d20734d9cc7572c78
SHA1

a0137943995f841b37ead9d62e2d3c15e1027615
SHA256

91573e2aad89c56aafd30ee2dd1155ef1e2b38a2d2856a3201e1f600e6685217
SHA512

0448d38a7e817cf342eaa63f50962683e30e5c7b1aa0be8c836cee29d174a35c806a9d14f259e4388f9d25be08534250a419af42a5ed6a2e937c8a6f27cd35ff

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = 601216ba7a6dd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://raw.githubusercontent.com/OB2021"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 600d97b67a6dd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c00000000020000000000106600000001000020000000c81ba3297bb42dad2269854d861a537f720e8440f3763367615574f59cd62947000000000e80000000020000200000004e98ce5691027e19bcae0edcae38f724f53f201866c11cab5a081171f6e43d1820000000ed7d1d6e12ffaf020f3db335e2e74f31381ffc722603f959da091a9c0460403a400000002a624affe0fcbc27e04583113fa19d11b7e80dd5bf039598e62345d8705dc031b50aee0328c788b11ca90435bf174833332212a4c0957d2c56ef41db56c3aee8	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://raw.githubusercontent.com/OB2021/PS-/main/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://www.facebook.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359947608"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06e21b37a6dd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url7 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FC9F8C61-D96D-11EC-B7F1-DEAEF166B17F} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D69C9761-D96D-11EC-B7F1-DEAEF166B17F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://raw.githubusercontent.com/OB2021/PS-/main/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TypedURLs\url7 = "https://twitter.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

chrome.exechrome.exe

pid process

1236 chrome.exe
576 chrome.exe
576 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1000 AcroRd32.exe

pid	process
1236	chrome.exe
576	chrome.exe
576	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

iexplore.exeiexplore.exechrome.exe

pid	process
1092	iexplore.exe
1484	iexplore.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe
576	chrome.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1000	AcroRd32.exe
1092	iexplore.exe
1092	iexplore.exe
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE
1092	iexplore.exe
1092	iexplore.exe
1092	iexplore.exe
1484	iexplore.exe
1484	iexplore.exe
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeiexplore.exeiexplore.exechrome.exe

description	pid	process	target process
PID 1000 wrote to memory of 1092	1000	AcroRd32.exe	iexplore.exe
PID 1000 wrote to memory of 1092	1000	AcroRd32.exe	iexplore.exe
PID 1000 wrote to memory of 1092	1000	AcroRd32.exe	iexplore.exe
PID 1000 wrote to memory of 1092	1000	AcroRd32.exe	iexplore.exe
PID 1092 wrote to memory of 1728	1092	iexplore.exe	IEXPLORE.EXE
PID 1092 wrote to memory of 1728	1092	iexplore.exe	IEXPLORE.EXE
PID 1092 wrote to memory of 1728	1092	iexplore.exe	IEXPLORE.EXE
PID 1092 wrote to memory of 1728	1092	iexplore.exe	IEXPLORE.EXE
PID 1000 wrote to memory of 1484	1000	AcroRd32.exe	iexplore.exe
PID 1000 wrote to memory of 1484	1000	AcroRd32.exe	iexplore.exe
PID 1000 wrote to memory of 1484	1000	AcroRd32.exe	iexplore.exe
PID 1000 wrote to memory of 1484	1000	AcroRd32.exe	iexplore.exe
PID 1484 wrote to memory of 1744	1484	iexplore.exe	IEXPLORE.EXE
PID 1484 wrote to memory of 1744	1484	iexplore.exe	IEXPLORE.EXE
PID 1484 wrote to memory of 1744	1484	iexplore.exe	IEXPLORE.EXE
PID 1484 wrote to memory of 1744	1484	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 1752	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1752	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1752	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1964	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1236	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1236	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1236	576	chrome.exe	chrome.exe
PID 576 wrote to memory of 1580	576	chrome.exe	chrome.exe

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\91573e2aad89c56aafd30ee2dd1155ef1e2b38a2d2856a3201e1f600e6685217.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/3cBxHoA
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1092 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/3cBxHoA
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1484 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7294f50,0x7fef7294f60,0x7fef7294f70
2⤵
PID:1752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1044,7024177019068785936,9450342490670860111,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1040 /prefetch:2
2⤵
PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1044,7024177019068785936,9450342490670860111,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1340 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1044,7024177019068785936,9450342490670860111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1816 /prefetch:8
2⤵
PID:1580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,7024177019068785936,9450342490670860111,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
2⤵
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,7024177019068785936,9450342490670860111,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:1
2⤵
PID:1464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,7024177019068785936,9450342490670860111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
2⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1044,7024177019068785936,9450342490670860111,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3272 /prefetch:2
2⤵
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,7024177019068785936,9450342490670860111,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,7024177019068785936,9450342490670860111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3520 /prefetch:8
2⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,7024177019068785936,9450342490670860111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
2⤵
PID:2308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4D1ED785E3365DE6C966A82E99CCE8EA_216A6C169356295AB09C26D4D7D32E06
Filesize
471B

MD5
9ed9cefd59b566b9ce7fdd031d337b9b

SHA1
943bb740e9a0c0ddb8c34af64adf4ddb033eee60

SHA256
46ed894b7739e3f3b43bba519caab9324f15e9e87f131ef171d0e602282e5c41

SHA512
8543c31a909b3e7b941631aab949e70418b7650ffc40c562b8ef937f87416a158ed3589eb78786fe8758054a7636448d0ce24b6f10af0911f61b9bfd6154ac23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
593ec2cdee0016e59cb1a604183c7c5b

SHA1
69b348d47c717c0e0fea254cfe443ffd082dcdc2

SHA256
6f752ec074eae027bcf0d80168403c913a6f117f82e27d071127cec9fc7f2345

SHA512
09c1c5bd01e798110cfa61669981832c93a6199a5b98066b629fb8e2c047f86ae7753b9196f1204931857da693d398893efd10bff74490d4f6a9fe797c422632

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
Filesize
471B

MD5
65458178789c488a525ae8548dfc0017

SHA1
f316de3fc5d49b093ca97ca44a9096c17331b043

SHA256
388c18c4d0675ae24883498d56fc6292b90c93e9491b8b1447308a5ac3f74c62

SHA512
1a71ca33a13426372d87684f5a3ebcc8cf969add82afff9a4fe5fd304f427d57e26cb93da29d10038df7b652238e553ed74dc8aec34954ff96cb853193e0142c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4D1ED785E3365DE6C966A82E99CCE8EA_216A6C169356295AB09C26D4D7D32E06
Filesize
426B

MD5
4c68d21eb9446f647865e554b91190b3

SHA1
18d1dcfe6a089bb09740e998a66b7939e7befa1d

SHA256
89e985a5f934267c69a8b50a312a5ab9ca5f85788f31ff084c6d90aac6c988a6

SHA512
8201cd12585156652636862a7d0267f5cbd90476d7ef4b3f3a663bc7bdda00b0fdf98e2739be0e31f7c785f778b14c99212ad194cfd6c65da62b8929b1d72e69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b78316a61490066202ab9115cea0a6f1

SHA1
87c742b6d72c7b64f44d874190e3f0c535022176

SHA256
5a67f4501b2325470b4f9458f5ffa14f95474718f464058745881fdb2d78552f

SHA512
62933bd1266a5deaaca0eedee6e83a82153879652561d217d106bdeed9788054731a83bd5014303f5c71028233169243f0ef4e3b7d5e8cd3b81cf45c6d80247f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7d4c327cb4ca916d82f31890cee07c02

SHA1
63d8dad0ce6c5d91929e0020adde4a0f5da6457c

SHA256
4b6febe880f70282ba6f614b94c00f6b2e821abbd0ae4145830d83326cc651b3

SHA512
586382146afa839c0ec69c3c85eae779efc823563c79c3fd082ff301d9b2bcb9f720389647dae082f30cc1ef44da99aeedfdc242f8ddd23b1f2e0bfa746ff95f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
430B

MD5
71125ee13822911be04dea6e44d764de

SHA1
e9c640dcab5489c32cdefb5441a1976ccf0bc55b

SHA256
9008f204816b1e573e38e40e974405f55ecb441f4244eaf65b2d0935f878bcdc

SHA512
b3e83e958120412da8db8c4c3e4c5efc8930f48e308ccf45c3f99a116f69462fa83b0a0aa7409913607600c397ac15c514cabe4cb07c3fd796e701e77d7820df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
Filesize
430B

MD5
2cb3d392e75e5abecf81745b71d0dc27

SHA1
8c93873a21f0d32fb36b351af83f322bc85ce193

SHA256
5713b8b4e5dd36cee69f79f23677850ecdadc9512bbaea188ab0978aa98dd702

SHA512
4376deaca9403e5fdb811e32ada68d5a9e87ef5c29d8a7442c520d81e3774d17d25a5256fa45bbd40689d48884cbd1d49f418ae4d9427a555735cfc97e091e6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
de06bd19ca90c4080ffdc5026f252461

SHA1
83110dacaee61cd6fabee1b85df935f5c449a2e8

SHA256
e02fa325f1add7331781ca6b17aae78952d4b3cd53eae796d6b7287288a55867

SHA512
79645603d1e2d8ea24d2690f76cf95f90f8e96e2c9cd64121833a243b19174f5dacaec76e19cf15846fd96d32a4c12b6992ee50903abaeeea5754f3db1734576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D69C9761-D96D-11EC-B7F1-DEAEF166B17F}.dat
Filesize
5KB

MD5
c080f0d6f453c98fedf68b4a3113632f

SHA1
a57e2c11d7d6a98b33f56c1aa6bc5b2a61bfaa42

SHA256
b27f7d152e5800918ca156cf925764326fa5fb592f5e81f69dd0bff579f9679c

SHA512
8a869ebe402b832e92cef31a0f87ee07f3bcb9fe35520001ff263fe09f6400df7251b778e922eecc9025f9400a3ec48bd6b8be10daa5d30abfb0eb3647c98022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V789HYVY\3cBxHoA[1].htm
Filesize
156B

MD5
038231601f6b0ba58ef97bb8b14401ac

SHA1
44ce892401715c24fdfaffa711bb4fd56bbeba7f

SHA256
211896ad3170990881169331dfc09f955e2fd3821c59bd46b98c9c37ddffe169

SHA512
1d6259aa43c83682141f24c186ecffaabb325f9af50de0efabf6e305af2cd085c74394a9646429198d0259675d7c4b2312e83adba7f22a50c08cedb0586f7522

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\G641KCBG.txt
Filesize
90B

MD5
f64e3bfa3fbfe35b7d21e94598baeb7c

SHA1
0a557b452d5ba49a4f8f25bed75c70e6247dbe03

SHA256
daf0d2d5cecc2c44c3a9464e137499efac644ecb4bbb5392f1e38458a45269e9

SHA512
bf93abe0492970225eeff168c6d56414fcfbe01725b51f4ba243f7e7b7e9442b46fb5c576e906cbb4a3f44de88a65e7af4f3b89792c9a3f56ccddd5c9bc11237

Download Submit
\??\pipe\crashpad_576_GDUHNEHCAHATNOST
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1000-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download