hxxp://www[.]onet[.]pl

Analysis

max time kernel
116s
max time network
123s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14/09/2022, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.onet.pl

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0feec742ac8d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "369918706"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000007f9ac4a41c664935c7289fe5ee41d73bf796d2af10647dd5644a6bed6d9125d5000000000e8000000002000020000000c16e9b236f0d2c9d10b424d079ea8626fe45a995fc85fd038b80785c164a1adf900000005c59aaa728e5a60169149ff76de944387527c85fb6e7be93d23348a7fc1712a63ae2ef029813469ef5f3db48fe8c39e1cf0ba8ef43024dff759af5162492424ca407072921cf894950e55c2b99336c9c16933c9cb439faa95c3f28a18c2937072dd9b1025e2e75f5edd0f23057e9e2f9eb038d96989ac55e1419be569a8262b8b28e482b281d2f7ebbaff8ae82643f5e40000000a7588676970e81291752c5fbed0583a79eb2ba2f2e8f916c618a273d68a43b7e2ff1e27be258bc7217cc9ade074b3d77fabdc948ae23e345e689c0343b12cf6a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9CC0CB51-341D-11ED-9FD0-D6EA6736E294} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000000d50e5e762e0402117bb539dd10a49707586349023621b8973e5b354c349d462000000000e8000000002000020000000324402bd316a90977720bf2688df3c9dd6e92b965235d3e2a55568813dbfcf2620000000591b782b95b8b7ed01d2adb5fac6d119aeb27c09afe6d5d7230c31108a6bf2e1400000006f53685b27ea2b050ee3dd30f8c7f8919d4a2692a2b623919946cc55e4587b1089f4c93fb14c736ec979deaba731af36cbe7d71d840f816eaf9c6ce56ed042a1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1532	chrome.exe
1708	chrome.exe
1708	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1200	iexplore.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1200	iexplore.exe
1200	iexplore.exe
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE
1200	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1020	1200	iexplore.exe	28
PID 1200 wrote to memory of 1020	1200	iexplore.exe	28
PID 1200 wrote to memory of 1020	1200	iexplore.exe	28
PID 1200 wrote to memory of 1020	1200	iexplore.exe	28
PID 1632 wrote to memory of 1672	1632	chrome.exe	31
PID 1632 wrote to memory of 1672	1632	chrome.exe	31
PID 1632 wrote to memory of 1672	1632	chrome.exe	31
PID 1708 wrote to memory of 1888	1708	chrome.exe	33
PID 1708 wrote to memory of 1888	1708	chrome.exe	33
PID 1708 wrote to memory of 1888	1708	chrome.exe	33
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1632 wrote to memory of 988	1632	chrome.exe	34
PID 1708 wrote to memory of 524	1708	chrome.exe	35
PID 1708 wrote to memory of 524	1708	chrome.exe	35
PID 1708 wrote to memory of 524	1708	chrome.exe	35
PID 1708 wrote to memory of 524	1708	chrome.exe	35
PID 1708 wrote to memory of 524	1708	chrome.exe	35
PID 1708 wrote to memory of 524	1708	chrome.exe	35
PID 1708 wrote to memory of 524	1708	chrome.exe	35
PID 1708 wrote to memory of 524	1708	chrome.exe	35
PID 1708 wrote to memory of 524	1708	chrome.exe	35
PID 1708 wrote to memory of 524	1708	chrome.exe	35
PID 1708 wrote to memory of 524	1708	chrome.exe	35
PID 1708 wrote to memory of 524	1708	chrome.exe	35
PID 1708 wrote to memory of 524	1708	chrome.exe	35
PID 1708 wrote to memory of 524	1708	chrome.exe	35
PID 1708 wrote to memory of 524	1708	chrome.exe	35
PID 1708 wrote to memory of 524	1708	chrome.exe	35

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.onet.pl
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1200 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6c14f50,0x7fef6c14f60,0x7fef6c14f70
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=964,1282260598126496792,358700718164617722,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1120 /prefetch:2
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=964,1282260598126496792,358700718164617722,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1224 /prefetch:8
  2⤵
  PID:544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6c14f50,0x7fef6c14f60,0x7fef6c14f70
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1104,139357749144890284,6743695764917545832,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1136 /prefetch:2
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1104,139357749144890284,6743695764917545832,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1104,139357749144890284,6743695764917545832,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1908 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,139357749144890284,6743695764917545832,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,139357749144890284,6743695764917545832,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,139357749144890284,6743695764917545832,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1104,139357749144890284,6743695764917545832,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3316 /prefetch:2
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,139357749144890284,6743695764917545832,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,139357749144890284,6743695764917545832,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3624 /prefetch:8
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,139357749144890284,6743695764917545832,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3500 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,139357749144890284,6743695764917545832,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=544 /prefetch:8
  2⤵
  PID:2672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
fc80069047253d14d66fd16a255ad052

SHA1
8d3e6dce271e7ba912de2210f45a660471545c18

SHA256
38a76ddc389cf166479defcfd4317d44780584376d13350aaab69a6b5e96c693

SHA512
4e64e4d6d9c0a457ea95de1bbb204ec91d35e9bf1f3c027c954c575ed9be2e0cbdeea633f8f3eec8c235c27c9f99ed5aa502058037ce569279fc5de46900f93e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
fc80069047253d14d66fd16a255ad052

SHA1
8d3e6dce271e7ba912de2210f45a660471545c18

SHA256
38a76ddc389cf166479defcfd4317d44780584376d13350aaab69a6b5e96c693

SHA512
4e64e4d6d9c0a457ea95de1bbb204ec91d35e9bf1f3c027c954c575ed9be2e0cbdeea633f8f3eec8c235c27c9f99ed5aa502058037ce569279fc5de46900f93e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
fc80069047253d14d66fd16a255ad052

SHA1
8d3e6dce271e7ba912de2210f45a660471545c18

SHA256
38a76ddc389cf166479defcfd4317d44780584376d13350aaab69a6b5e96c693

SHA512
4e64e4d6d9c0a457ea95de1bbb204ec91d35e9bf1f3c027c954c575ed9be2e0cbdeea633f8f3eec8c235c27c9f99ed5aa502058037ce569279fc5de46900f93e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
90KB

MD5
28a91b76b0219af4831d3bd029d0708c

SHA1
a28c76eba58095e08ccafe720a52cfa34597fe05

SHA256
0cae5d7bc36590ab5600242aa99b2551c5b5d3fd44299fcd8350a1ac06d76aa4

SHA512
fea50147a9b1ae5c0d1ca2099414521f77d58e9aec90349dcd7aecfb0656fc68e6ca513f0cb3d34dc56771d0f196569730cf01b2f596a4e08e6c10c0fbebbd3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q6X0BSRL.txt

Filesize
603B

MD5
2e9d7680164905556d1adcac23f1a4b7

SHA1
287534e565628c8d68d92129546e3638e7e8f7e0

SHA256
6ea7d6935e50581c9417d89744a816aebfc09bcbd1accd8ba1d400a209543770

SHA512
fef7c814782d1d4a5d078da50233838d1eb3930b8fb313add801c68ec787963acea646abab902482a829e02ef349408837b84e460881ec4f716409629e0a64db

Download Submit