hxxps://docs[.]google[.]com/forms/d/e/1FAIpQLSdtb0jfjmvs81gs53-X2Ezc9WpIeKFxpNsDsodAC0RAHvoPyw/viewform

Resubmissions

15-08-2022 22:44

220815-2n9e3sggcm 1

15-08-2022 22:40

220815-2lxy9sbdg2 8

Analysis

max time kernel
143s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15-08-2022 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/forms/d/e/1FAIpQLSdtb0jfjmvs81gs53-X2Ezc9WpIeKFxpNsDsodAC0RAHvoPyw/viewform

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{16980031-1CFC-11ED-A34F-EA25B6F29539} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\support.google.com\ = "32"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\support.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000a31e009e44386463267444cb00edbfdf25b767274cf8d883a1db9d4cf6b76a95000000000e80000000020000200000004a3e09615374458b4b49afedd21a21e21e3bab3259d42b3070740d8dd2ccb5dc9000000069ee9957cc11db0215665bdb25b71fe73503a26228880e6d8dc87cc8a33ccae9b306eef5bb5aad06d1ed302bdd65c392fb3fa44a46f8a94e1e35038d85baf140ff09a20a87698e34b6c5e424fb8c959e792e06f04daaf5687420f61e6188e16c1e9e68115ad2227efe1ec6d7d712f2f0bf63768d653b24e1ffd98bbe9e93b93fb78cc4eeb37256307b453538c8cb020240000000eb32acf6bc88211d2b070d5427a53e0e47a9486a6220a134022790c1878ada60f53b680257f0b9797878c685316888710b45c070325e048181a3c9da92d2677b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\support.google.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30dc9ff108b1d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000001de779162839738888ca9f24b749e2b6ed902b028252bdf67092c1fb87c3b991000000000e800000000200002000000032f065e0fb01cd484e3d5cb5b82f07a0e2e6144a1840e5bcbd132e4913e605ac200000004d4408994bd42c3d0641dac97b60abc9ec2ce9450c75172c8a5c44a76a21c0a440000000b49650ba664ed74c230d407dcc6eea2d3ab1748efa86309775ecabc63495779cf1a645a7cd35d5dad3085a788a01b2a9009cd20e91ad311bd47ffdd170761afa	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "367375431"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid process

392 chrome.exe
392 chrome.exe
2792 chrome.exe
2888 chrome.exe
392 chrome.exe
392 chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exechrome.exe

pid	process
2036	iexplore.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exe

pid	process
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe
392	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2036 iexplore.exe
2036 iexplore.exe
604 IEXPLORE.EXE
604 IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 2036 wrote to memory of 604	2036	iexplore.exe	IEXPLORE.EXE
PID 2036 wrote to memory of 604	2036	iexplore.exe	IEXPLORE.EXE
PID 2036 wrote to memory of 604	2036	iexplore.exe	IEXPLORE.EXE
PID 2036 wrote to memory of 604	2036	iexplore.exe	IEXPLORE.EXE
PID 392 wrote to memory of 1052	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1052	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1052	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1620	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1324	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1324	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 1324	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 764	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 764	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 764	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 764	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 764	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 764	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 764	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 764	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 764	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 764	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 764	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 764	392	chrome.exe	chrome.exe
PID 392 wrote to memory of 764	392	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://docs.google.com/forms/d/e/1FAIpQLSdtb0jfjmvs81gs53-X2Ezc9WpIeKFxpNsDsodAC0RAHvoPyw/viewform
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65d4f50,0x7fef65d4f60,0x7fef65d4f70
2⤵
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1064 /prefetch:2
2⤵
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1320 /prefetch:8
2⤵
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1672 /prefetch:8
2⤵
PID:764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:1
2⤵
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
2⤵
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
2⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3384 /prefetch:2
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
2⤵
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3564 /prefetch:8
2⤵
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3520 /prefetch:8
2⤵
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3780 /prefetch:8
2⤵
PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
2⤵
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=980 /prefetch:8
2⤵
PID:2704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:8
2⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2792

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2872

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13ffaa890,0x13ffaa8a0,0x13ffaa8b0
3⤵
PID:2944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3184 /prefetch:8
2⤵
PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3172 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3704 /prefetch:8
2⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3616 /prefetch:8
2⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
2⤵
PID:268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,2112370358373692654,2973249979334669238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1008 /prefetch:8
2⤵
PID:1072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65d4f50,0x7fef65d4f60,0x7fef65d4f70
2⤵
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
e1f51cf33c55c36c30f43554e8d0baa2

SHA1
1763903fed69f1bfcbe6e42e15c7b4d984b68997

SHA256
bb94562368fb674cb1ac1497f4e2cc5df98efebce60bf7694bbb1e87977a2c73

SHA512
730be2c213fb0bfa68cae35f2ee27c145f98a7b5abdf7a1aff67a843564a3b4fcad8325c3887334a61c73af5e11725b9bec6343432d4459d1873be70c60dc578

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_7A6811D4A6D8E5D9A83111D47C405249
Filesize
472B

MD5
5cc48869b4a464ad8241d4bd5b3c9346

SHA1
935fa1e475c5ac14700952e32349462486c9c70f

SHA256
7962de13da8c6e736ee6ec6dfffb60ad64bcbe25d328310e45c18a45efad3b17

SHA512
76b9b03f92c2b8d05e6a5641df0413f85be0602a4ad8d3b38f6e83a2d4c937cfa8ead615d09184b62b8d7184e41917fad63cf38418801a0c1609cc76b711c48e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9E637ACEC78196ABC260D8CA87651CBC
Filesize
472B

MD5
41eef2832142ecb622017c10f68609d1

SHA1
d649a6b9659c75264c7eae2ca4a8e6bd517172f1

SHA256
e5c980c9196b97d355ef1fb7323166b573f5a564b4561ff0c58b8b05505f08e5

SHA512
fdd2ad71b7ff77f83010bf7da4ec476ee8e6b70167910606a8333d895e8c29c203d87fd998caed964ccb38d85c6110883af6e18c0e6ab00d159064a6d2d1ca83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C3A6D4BBC6E13E71913C80950D4B2967
Filesize
472B

MD5
aaf8007e9518e53f5d5355d798dac9db

SHA1
80912cdd60b3ead627472eafef7d270d571d9a03

SHA256
0ecc80e226599754b2dbb10a93337f1cdf1065bb7906d5c59485bb47ec15c7d1

SHA512
e91e3ef6c811c56e75787574e4d78df12bd98fdee1a1c81ed8c60b7a19a804cc5a8cc33b086f279fe06d4393ecb9ceb255409a7a7d8edc21e5185c850b33908e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
47b569a920b6bacfbbf20512bdb6fd0c

SHA1
30faf62fffbd6e55bc8de1f9b5c6de0f423e2ed9

SHA256
930f8d1f2648b3e0c356b38c8c979d09d0423d87128792656837e7bdf88ec2f5

SHA512
51a992652b20c075cf1cca19c26fe0265d2b95c36232c63c591ef30697cbff2197bfbe1bda49c3361bb006cd11e4b5fdd2b64c1c819481cec3fae1c2600b1a67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
c06df21fd528f37eb8ec8c9d05e49130

SHA1
0a63005b183c8b5a010030bb367cd200bbadbe03

SHA256
bb29242aac8625f62958dcc6e352ae27f7f05bd130915583cddddd32d14d3178

SHA512
23680b46ac44ca94a2e9897f9ae2e913e0a08ab0bfb4f0101a0482eac4870a22b263d20e7ef438968ec18377e51c3f2d63b21e60410e894cccb1a494d6305dda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
1938c5325003fcc5905fffc0c97dc865

SHA1
c5e40a93d942ddc58e34150dab0b12aa9511b0f7

SHA256
76e830230fc0f31c2ba4186ebe61867b6079efcc7d8eac505b0d188e72a8b864

SHA512
dcab2425bb028bcbacbef13b6b4482e988f6b28620b10e3d68c0695d2f2a12bc7f50bf91e2a050f028004dfa4d11f052c46289e733a086041ca40aa796abd961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_7A6811D4A6D8E5D9A83111D47C405249
Filesize
402B

MD5
3e728ef68b6dcefc2d003f83420e2af8

SHA1
607e7fce78c507dc550b09d5b8545022c55bf230

SHA256
81fe8566fb0cdcb4276a9d1f18ba23e187bee5145cee24c23bbc62a1e687e0cd

SHA512
e46a40d72f7d3cf7a7fbc616b3e975b1ac6df4c00f9383ed680e5a861ae0475a074424b3224c42c95aeed8ca2298af683df9220ca3a88263059def1aa5d54c23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9E637ACEC78196ABC260D8CA87651CBC
Filesize
406B

MD5
a27b9427f13dda116035010abb459fba

SHA1
05e84b80af96f1e6c8d0c3fc3c589d89d8a37377

SHA256
b2f85b6736dd0d28a55a3d44d8917c3ee230f4d4766172fe892dd3af370f40c1

SHA512
ebff354eb55c757e01173ebb24b422b81e77c7ddc97bdc4fdb4e2486e8e75085cea0b5d9e00b3f4de7b2fc52c98b3bcd072532160c16d858b0f97e2a45c76731

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C3A6D4BBC6E13E71913C80950D4B2967
Filesize
402B

MD5
9a984e5120d9bddf8c84892880fe5529

SHA1
1bec395cd6c487520c2643bce6d79d20d06f2550

SHA256
a48b27fdab4b6751fa902db6201c617d33ab3d4c807e7ca3c380bab918478c44

SHA512
6c9ebafd6063b9c2c4727e73ae7dc2ee211c7c35cb4ac928c8a7b9dc95f62ed8b4460aa6212cd952c4671b0d2b0021680ccb325f47685466f144a51c02c55f7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
ca0c469b8152e7e371cf08d73b026433

SHA1
07a87b72da129c4af371a735398bd1aefdb0e74a

SHA256
49bf5be3f0eae3a1851a7ac6e98c2aacfd41d04b0bee3f34ea75d3fe76ac4996

SHA512
2a051c82401a439602f6400b7af49353c869f464815dbefe068c3ad6249f7875e42d4c486dfdc22e60d54f711afc339491bb74922bba551df98e9ec0780dbafa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
ca0c469b8152e7e371cf08d73b026433

SHA1
07a87b72da129c4af371a735398bd1aefdb0e74a

SHA256
49bf5be3f0eae3a1851a7ac6e98c2aacfd41d04b0bee3f34ea75d3fe76ac4996

SHA512
2a051c82401a439602f6400b7af49353c869f464815dbefe068c3ad6249f7875e42d4c486dfdc22e60d54f711afc339491bb74922bba551df98e9ec0780dbafa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
ca0c469b8152e7e371cf08d73b026433

SHA1
07a87b72da129c4af371a735398bd1aefdb0e74a

SHA256
49bf5be3f0eae3a1851a7ac6e98c2aacfd41d04b0bee3f34ea75d3fe76ac4996

SHA512
2a051c82401a439602f6400b7af49353c869f464815dbefe068c3ad6249f7875e42d4c486dfdc22e60d54f711afc339491bb74922bba551df98e9ec0780dbafa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat
Filesize
9KB

MD5
9a72dce34ad28a153bd60bb0d272223d

SHA1
d4f9a3c205051b6d266f6bdcf66448b98db4fff5

SHA256
343cbb265d8d6262dc2ec110cdc951378158985d9b0c5a83ff551c1114310181

SHA512
62ec486cd18ab215059e31b4c82a6ddefd1277a4cd9f266cccceaad9195afdbc1da47297ee9da21b36ca9c931c0a660f336997de6aa41dfb68bfba62c0c03bb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XHVZR6DE.txt
Filesize
598B

MD5
14b5ce1221f82813830ca3c52c583360

SHA1
01de61c8d70815aa38874eea52b4bdc1735ab9d6

SHA256
6555ca509c50e7681aeed0f21dbcd2193ff789ade69d69e1051ea0a01bd76f04

SHA512
b89011d4feaf6222bcd9f0e73e6c211f8c3bdec9f536bb9ce02ed9d39924ccb81d6e8ae473ead87af6f036cc4fe5325b50a23338afcf407c2f52cc72cb25a5b1

Download Submit
\??\pipe\crashpad_392_NWYLBFCFSAZYEQPJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2872-71-0x0000000000000000-mapping.dmp

Download
memory/2944-72-0x0000000000000000-mapping.dmp

Download

pid	process
392	chrome.exe
392	chrome.exe
2792	chrome.exe
2888	chrome.exe
392	chrome.exe
392	chrome.exe