hxxps://docs[.]google[.]com/forms/d/e/1FAIpQLSdtb0jfjmvs81gs53-X2Ezc9WpIeKFxpNsDsodAC0RAHvoPyw/viewform

Resubmissions

15-08-2022 22:44

220815-2n9e3sggcm 1

15-08-2022 22:40

220815-2lxy9sbdg2 8

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2022 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/forms/d/e/1FAIpQLSdtb0jfjmvs81gs53-X2Ezc9WpIeKFxpNsDsodAC0RAHvoPyw/viewform

Score

8^/10

google phishing

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ChromeRecovery.exe

pid process

4876 ChromeRecovery.exe
Detected potential entity reuse from brand google.
phishing google

pid	process
4876	ChromeRecovery.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2196_1569866801\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2196_1569866801\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2196_1569866801\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2196_1569866801\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2196_1569866801\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2196_1569866801\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2196_1569866801\ChromeRecoveryCRX.crx	elevation_service.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{17563BB0-1CFC-11ED-89AC-5ECC372795C7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30978312"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000004d355927fb4eab9442db754017ad0057ba42aeb0a2979c79c5453d18e56e8270000000000e8000000002000020000000fab15caf4d8238c8bf52ea29d4965d3531b010ef05e9349329c309777fb119ae20000000432119b83a309c50f7aaf3917316d3b28061f7b07e8ff27f53af9faa05df84e140000000628c78829790ff5d29fb9744832141704f26fadb5e698d6c890b0c9abb3e26df9e7517ea0b6bb8587de3d8f565bfa04099e09600862b401f58af8f40a445cf0f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30978312"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "32"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000007d1b2ccd22083708ce7184d9b29ee928467acc026b1753a76b8ebe13d76c0d60000000000e800000000200002000000014825196c2c206e7b9d97b2914b185ad951dae65d309a1da9c64e1db1f070e70200000004253baafb6a475f04ed246c6bc000cbec69de6e0982ed0ddba1408803bd0d7d140000000256a8683f50fa38014923ffc5fc3897e931a085de770e8d6de3b1fb3f3fa36a25beba1888681d3f1d9cb171a1a29f252fa2c0d1f90a26162d37d4caa5e3d0691	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\support.google.com\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3965524037"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3965524037"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\support.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\support.google.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30147fee08b1d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e09c9bee08b1d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
3736	chrome.exe
3736	chrome.exe
4972	chrome.exe
4972	chrome.exe
1600	chrome.exe
1600	chrome.exe
1880	chrome.exe
1880	chrome.exe
4228	chrome.exe
4228	chrome.exe
5080	chrome.exe
5080	chrome.exe
2700	chrome.exe
2700	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

4972 chrome.exe
4972 chrome.exe
4972 chrome.exe
4972 chrome.exe
4972 chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

iexplore.exechrome.exe

pid	process
1748	iexplore.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of SetWindowsHookEx 56 IoCs

Processes:

iexplore.exeIEXPLORE.EXEchrome.exe

pid	process
1748	iexplore.exe
1748	iexplore.exe
620	IEXPLORE.EXE
620	IEXPLORE.EXE
620	IEXPLORE.EXE
620	IEXPLORE.EXE
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 1748 wrote to memory of 620	1748	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 620	1748	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 620	1748	iexplore.exe	IEXPLORE.EXE
PID 4972 wrote to memory of 3460	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3460	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 4348	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3736	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3736	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe
PID 4972 wrote to memory of 3000	4972	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://docs.google.com/forms/d/e/1FAIpQLSdtb0jfjmvs81gs53-X2Ezc9WpIeKFxpNsDsodAC0RAHvoPyw/viewform
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbbdc54f50,0x7ffbbdc54f60,0x7ffbbdc54f70
2⤵
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:2
2⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2296 /prefetch:8
2⤵
PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:1
2⤵
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
2⤵
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:8
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4644 /prefetch:8
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:8
2⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:8
2⤵
PID:1076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4920 /prefetch:8
2⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:8
2⤵
PID:2456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
2⤵
PID:1032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
2⤵
PID:2536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4008 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4008 /prefetch:8
2⤵
PID:1300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:8
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,14103765489416633060,9435547799106574394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5128 /prefetch:8
2⤵
PID:4456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1928

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:2196

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2196_1569866801\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2196_1569866801\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={66b82a62-456e-418b-af54-e54dd4c5e8d8} --system
2⤵
- Executes dropped EXE
PID:4876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2196_1569866801\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
e1f51cf33c55c36c30f43554e8d0baa2

SHA1
1763903fed69f1bfcbe6e42e15c7b4d984b68997

SHA256
bb94562368fb674cb1ac1497f4e2cc5df98efebce60bf7694bbb1e87977a2c73

SHA512
730be2c213fb0bfa68cae35f2ee27c145f98a7b5abdf7a1aff67a843564a3b4fcad8325c3887334a61c73af5e11725b9bec6343432d4459d1873be70c60dc578

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_7A6811D4A6D8E5D9A83111D47C405249
Filesize
472B

MD5
5cc48869b4a464ad8241d4bd5b3c9346

SHA1
935fa1e475c5ac14700952e32349462486c9c70f

SHA256
7962de13da8c6e736ee6ec6dfffb60ad64bcbe25d328310e45c18a45efad3b17

SHA512
76b9b03f92c2b8d05e6a5641df0413f85be0602a4ad8d3b38f6e83a2d4c937cfa8ead615d09184b62b8d7184e41917fad63cf38418801a0c1609cc76b711c48e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9E637ACEC78196ABC260D8CA87651CBC
Filesize
472B

MD5
41eef2832142ecb622017c10f68609d1

SHA1
d649a6b9659c75264c7eae2ca4a8e6bd517172f1

SHA256
e5c980c9196b97d355ef1fb7323166b573f5a564b4561ff0c58b8b05505f08e5

SHA512
fdd2ad71b7ff77f83010bf7da4ec476ee8e6b70167910606a8333d895e8c29c203d87fd998caed964ccb38d85c6110883af6e18c0e6ab00d159064a6d2d1ca83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C3A6D4BBC6E13E71913C80950D4B2967
Filesize
472B

MD5
aaf8007e9518e53f5d5355d798dac9db

SHA1
80912cdd60b3ead627472eafef7d270d571d9a03

SHA256
0ecc80e226599754b2dbb10a93337f1cdf1065bb7906d5c59485bb47ec15c7d1

SHA512
e91e3ef6c811c56e75787574e4d78df12bd98fdee1a1c81ed8c60b7a19a804cc5a8cc33b086f279fe06d4393ecb9ceb255409a7a7d8edc21e5185c850b33908e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
91a3a197e9f37d70de36969826cffdf4

SHA1
f88ea956eed75138108658538e2a5515b2743d1a

SHA256
7638f7f8af2a144780e272b143dbfb82cbab6ca1c7f435faf3f1988b8721de61

SHA512
18c75dbc699abca6eb8e28983b3db21355df5963e4dff137dae289d40b3f75e35581481fbbb1e4ce8cb34bf7cb6552c0aa798721a873f7e758471fc344cecaf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
8a3ff24c9e024f3897fb7be25f44da47

SHA1
900e00c9e41e8dd052f933ef229f53f3240a7020

SHA256
d5acced0fdd1f36590c6dde6bff5d5e773715fd615fa2df151eff611aa448506

SHA512
6cd1ffadc4a935eaa76ee874aac366126b582a1a30c624b2f3487a25e97bf428a1b01a993eb7516a93b687aed0c507b376fdbc85028a6736ba9f72e93fdadd1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_7A6811D4A6D8E5D9A83111D47C405249
Filesize
402B

MD5
0ca46ad4231ac9841590f1be220fc1c8

SHA1
c04329da6d0b334f06c23eceea57219400594bfe

SHA256
32b554a8a394acfa10d5620bb520813a45e52254ab833ba3ad2a54bc7ab47cca

SHA512
3c26999b88f081e082a5b6938f7eaf8c4341d388de3c1f3b812f7f0aa27b31f60c27ac733c23b0c32e73eac4ea4016b1d8379811414e42a39879f81fc5a4d314

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9E637ACEC78196ABC260D8CA87651CBC
Filesize
406B

MD5
2cead8971e78f6bc41c109efeec468ce

SHA1
d5f47f4eb36f38487c865ad73a8c03e3f291c034

SHA256
9ff008215ca746ed10e796bbb6765da94c97fe58e70494f2338e71f55d07022b

SHA512
30757c5c4b50bf46e718348568b0c906f758980c22099f78e35e4628d7edc732a5d24db1a8a9e48def3ef2926ea61495b5c048708cf189488ec660c71d8b12cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C3A6D4BBC6E13E71913C80950D4B2967
Filesize
402B

MD5
4c084d8020e2a730801a346ada73803b

SHA1
21161bd3331e8843218c930b92d98659f86734c4

SHA256
a201faa7e404a9a2f00f377e010e2b8d3c41b37f4cb309fabbbe50385eaf573f

SHA512
394a00baf492e46919ac98b0c7fddf2684db439395d8ed6cbcb633de598baf7533201dcf9eadbceec07c7cab81370cfa1d0d69eb7de90f650a69b4619701a491

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ru1r3yf\imagestore.dat
Filesize
5KB

MD5
08b95687c97d3e852b7b6a648132f0be

SHA1
a192374be34c7f166a3f85085a9e03a872354b30

SHA256
b4ffd58f0d14e6e36792ce0d0630737b82193d1d66241433ded5113647487bbc

SHA512
1a66c4bb3b1d7841ac18bed6d44357e2afb9f0da4a94ffe27586a0ff1839f86b3c2a8f1b7f44decebefe779ac21d57eff460de13bc5c56a9261036ea3a670a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DU2BEY67\favicon[1].ico
Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
\??\pipe\crashpad_4972_GZWYFZENXRFAEMPZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4876-146-0x0000000000000000-mapping.dmp

Download