Resubmissions
31-10-2022 22:53
221031-2t11wsdhf2 925-09-2022 04:01
220925-elhg9adbc8 1015-09-2022 10:54
220915-mzjapsgeej 9Analysis
-
max time kernel
442s -
max time network
446s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
25-09-2022 04:01
General
-
Target
20.zip
-
Size
10.4MB
-
MD5
e17ed9853440c53954269dc2d97b4ab1
-
SHA1
ed6f99c188726247614b2affc95da967087c9fef
-
SHA256
44a6389937c8a2dcbadfb5d04829a2c36fbcc27b37ddc9719847801222d0cce5
-
SHA512
5b02ca10db4617026a911507f9d4a61c167b6435f36135cbfaa572669d53e18d33566db8643feae65ef1315be9f2744dc4fdeb44ec044d8a1770e751dac42bf5
-
SSDEEP
196608:yK6qD/i+k2V4c6gC7CASBtm2q3h7/1nUG3NL6GDsIZCE3K1zEkuwCCjnUdy13sx3:yK6m/PHqCASYd7dnUG92GDs3E32LbY2S
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of FindShellTrayWindow 56 IoCs
-
Suspicious use of SendNotifyMessage 51 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\20.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"1⤵
-
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa8efb4f50,0x7ffa8efb4f60,0x7ffa8efb4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1540 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1848 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2572 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4228 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4368 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4372 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5500 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5368 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5236 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4912 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5200 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5084 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5748 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4908 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5152 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5148 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5612 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5592 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5532 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2612 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5836 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3016 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5336 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5660 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5412 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4456 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=900 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5716 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5700 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4332 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4720 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 /prefetch:82⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5676 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4376 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4372 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 /prefetch:82⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 /prefetch:82⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4284 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5196054407533434395,10085392457621269584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=880 /prefetch:82⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3f81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1828_1268027883\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1828_1268027883\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={3b99fdf6-84bc-4612-86b5-47fca67a8b42} --system2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1828_1268027883\ChromeRecovery.exeFilesize
253KB
MD549ac3c96d270702a27b4895e4ce1f42a
SHA155b90405f1e1b72143c64113e8bc65608dd3fd76
SHA25682aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f
SHA512b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3Filesize
141KB
MD5ea1c1ffd3ea54d1fb117bfdbb3569c60
SHA110958b0f690ae8f5240e1528b1ccffff28a33272
SHA2567c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d
SHA5126c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf
-
\??\pipe\crashpad_3292_ENIYMBEQCHDZMEAUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3992-286-0x0000000000000000-mapping.dmp
-
memory/4156-116-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-117-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-118-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-119-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-121-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-120-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-122-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-123-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-124-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-126-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-127-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-125-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-128-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-130-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-131-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-132-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-129-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-133-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-134-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-136-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-135-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-137-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-138-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-139-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-141-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-142-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-140-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-143-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-144-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-145-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-146-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-147-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-148-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-149-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-150-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-151-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-153-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-154-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-155-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-152-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-156-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-157-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-158-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-161-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-163-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-164-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-162-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-160-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4156-159-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4192-165-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4192-166-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4192-167-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4192-168-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4192-169-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4192-170-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4192-171-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4192-172-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4192-173-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4192-174-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4192-175-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4192-176-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4192-177-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4192-179-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4192-178-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB