hxxps://oneqanatclub[.]com/O4uYeU5lV6dN_0UrzBx4sNtDjheJnvEjQ8xUsiyyfa0/?clck=1580b126227a97924669dc06f0c24968&sid=17357599

Analysis

max time kernel
894s
max time network
897s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2022 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://oneqanatclub.com/O4uYeU5lV6dN_0UrzBx4sNtDjheJnvEjQ8xUsiyyfa0/?clck=1580b126227a97924669dc06f0c24968&sid=17357599

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ChromeRecovery.exe

pid process

6004 ChromeRecovery.exe

pid	process
6004	ChromeRecovery.exe

Drops file in Program Files directory 8 IoCs

Processes:

elevation_service.exeiexplore.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5844_1034361653\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5844_1034361653\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5844_1034361653\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5844_1034361653\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\Images\bing.ico	iexplore.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5844_1034361653\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5844_1034361653\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5844_1034361653\ChromeRecovery.exe	elevation_service.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\LinksExplorer	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3248802135"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\LinksExplorer\Width = "290"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988575"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30988575"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988575"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\LinksExplorer\LinksType = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f069d2c31fd9d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3248802135"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000054568db899cadf8f2cc8e916d4bb58da062baf5251249a78fa9f931a1d0618a000000000e8000000002000020000000d810e046d87dbdd5e916d6313f3fe972d80f8c18a511cef93474f8ef1b66af03200000007e1806a9982fa4ea22d5f97475de7216801a90ab75eb7512e129c942107ae911400000008bc78546607eead410a5ec50120722f3ca24d56e57a7a3b2740727cf8775da5ee7c85828ad99b8567dec95c11c4eb7f38cdd37e5fecd5e67d3936ff12427b365	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90f7bdc31fd9d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{ED09CA5B-4512-11ED-B696-D2A4FF929712} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3267085381"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000b80dd2d8b11f98dc1245fac441c4d288edef8063089d3271794134c113821354000000000e8000000002000020000000df494816ed6136a082d2ddfe4b4933f9d60fc1337a76612fc53462bf51eadc12200000005b986c63735ad502835c39beb3d95f4b84c810d4f78154bfbf30c561e4a4d9cd40000000d068989f352ecba393a27942721fdb3807965e59ef769d3444542a06b62365d10ac3f1720790b9140d32551a357770c07cda4ec0e98a43530811ad75c4e9257c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371783287"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\File.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Temp\File.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4924	chrome.exe
4924	chrome.exe
5104	chrome.exe
5104	chrome.exe
5572	chrome.exe
5572	chrome.exe
5684	chrome.exe
5684	chrome.exe
6068	chrome.exe
6068	chrome.exe
6128	chrome.exe
6128	chrome.exe
5212	chrome.exe
5212	chrome.exe
5592	chrome.exe
5592	chrome.exe
916	chrome.exe
916	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5564	chrome.exe
5904	chrome.exe
5904	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

chrome.exe

pid	process
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	1604	firefox.exe
Token: SeDebugPrivilege	1604	firefox.exe
Token: SeDebugPrivilege	1604	firefox.exe
Token: SeDebugPrivilege	1604	firefox.exe
Token: SeDebugPrivilege	1604	firefox.exe
Token: SeDebugPrivilege	1604	firefox.exe
Token: SeDebugPrivilege	1604	firefox.exe
Token: SeDebugPrivilege	1604	firefox.exe
Token: SeDebugPrivilege	1604	firefox.exe
Token: SeDebugPrivilege	1604	firefox.exe
Token: SeDebugPrivilege	1604	firefox.exe
Token: SeDebugPrivilege	1604	firefox.exe
Token: SeDebugPrivilege	1604	firefox.exe
Token: SeDebugPrivilege	1604	firefox.exe

Suspicious use of FindShellTrayWindow 57 IoCs

Processes:

iexplore.exechrome.exefirefox.exe

pid	process
4996	iexplore.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe

Suspicious use of SendNotifyMessage 43 IoCs

Processes:

chrome.exefirefox.exe

pid	process
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

iexplore.exeIEXPLORE.EXEfirefox.exe

pid	process
4996	iexplore.exe
4996	iexplore.exe
920	IEXPLORE.EXE
920	IEXPLORE.EXE
4996	iexplore.exe
920	IEXPLORE.EXE
920	IEXPLORE.EXE
4996	iexplore.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe
1604	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 4996 wrote to memory of 920	4996	iexplore.exe	IEXPLORE.EXE
PID 4996 wrote to memory of 920	4996	iexplore.exe	IEXPLORE.EXE
PID 4996 wrote to memory of 920	4996	iexplore.exe	IEXPLORE.EXE
PID 5104 wrote to memory of 1928	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1928	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 5100	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 4924	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 4924	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe
PID 5104 wrote to memory of 1440	5104	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://oneqanatclub.com/O4uYeU5lV6dN_0UrzBx4sNtDjheJnvEjQ8xUsiyyfa0/?clck=1580b126227a97924669dc06f0c24968&sid=17357599
1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4996 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb12a74f50,0x7ffb12a74f60,0x7ffb12a74f70
2⤵
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1692 /prefetch:2
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2008 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:8
2⤵
PID:1440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
2⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
2⤵
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
2⤵
PID:5180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:8
2⤵
PID:5448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4656 /prefetch:8
2⤵
PID:5456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:8
2⤵
PID:5488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:8
2⤵
PID:5632

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:5664

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff6f727a890,0x7ff6f727a8a0,0x7ff6f727a8b0
3⤵
PID:5764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 /prefetch:8
2⤵
PID:5700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5332 /prefetch:8
2⤵
PID:5784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4896 /prefetch:8
2⤵
PID:5844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
2⤵
PID:5876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
2⤵
PID:5936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1464 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1464 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:5308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
2⤵
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2416 /prefetch:8
2⤵
PID:5452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
2⤵
PID:5472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
2⤵
PID:3224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
2⤵
PID:5580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4836 /prefetch:8
2⤵
PID:5804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1076 /prefetch:8
2⤵
PID:5824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1104 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3980 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
2⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:5724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3388 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
2⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3040 /prefetch:8
2⤵
PID:1128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1544 /prefetch:8
2⤵
PID:6108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
2⤵
PID:3428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
2⤵
PID:5496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
2⤵
PID:5388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
2⤵
PID:5472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1176 /prefetch:8
2⤵
PID:2912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
2⤵
PID:4088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
2⤵
PID:484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1612 /prefetch:1
2⤵
PID:1028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
2⤵
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4548 /prefetch:8
2⤵
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2332 /prefetch:1
2⤵
PID:2644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
2⤵
PID:3532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,7707512815056449978,16552350362303672031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4704 /prefetch:8
2⤵
PID:2012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3568

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:5844

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5844_1034361653\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5844_1034361653\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={2713665a-2481-4535-aab1-a764284717d4} --system
2⤵
- Executes dropped EXE
PID:6004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1604.0.1588341405\1786907642" -parentBuildID 20200403170909 -prefsHandle 1708 -prefMapHandle 1700 -prefsLen 1 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1604 "\\.\pipe\gecko-crash-server-pipe.1604" 1792 gpu
3⤵
PID:5784

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1604.3.2050379168\1613706530" -childID 1 -isForBrowser -prefsHandle 2276 -prefMapHandle 2452 -prefsLen 112 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1604 "\\.\pipe\gecko-crash-server-pipe.1604" 2472 tab
3⤵
PID:5272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1604.13.1341224854\757399458" -childID 2 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 6894 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1604 "\\.\pipe\gecko-crash-server-pipe.1604" 3716 tab
3⤵
PID:5672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1604.20.384211703\230213343" -childID 3 -isForBrowser -prefsHandle 5832 -prefMapHandle 5824 -prefsLen 10271 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1604 "\\.\pipe\gecko-crash-server-pipe.1604" 2528 tab
3⤵
PID:4036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5844_1034361653\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
300B

MD5
bf034518c3427206cc85465dc2e296e5

SHA1
ef3d8f548ad3c26e08fa41f2a74e68707cfc3d3a

SHA256
e5da797df9533a2fcae7a6aa79f2b9872c8f227dd1c901c91014c7a9fa82ff7e

SHA512
c307eaf605bd02e03f25b58fa38ff8e59f4fb5672ef6cb5270c8bdb004bca56e47450777bfb7662797ffb18ab409cde66df4536510bc5a435cc945e662bddb78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
1KB

MD5
6a9c9aaad47a858879a5655b175825c8

SHA1
abc975901328de8fb531ad26f83cb0623df4f04a

SHA256
556c28ae4e43812b99a48d14e20d647bc6af0f293429e3613c1abcfbd249c16f

SHA512
53b6eaa7a82b57f645ca912c971788f960be6895f8cbea7b4bad406fd2163d201b76e133fb096f87fd4be3bb178ef0d1039662f960070bd8965bb0f0fe84adfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
81c96dfdc78955baf5c089e53bc0c46a

SHA1
f648c51cd0d2d784d0e8d73c30d6474487162127

SHA256
397b12f65672c174b45d98e34e35a655b2ad506e7e180c7714abfac8acb30549

SHA512
1991d628ef5e1a0a457cea5ef46a29043ed08ae60727d340fe1a6a759bd09693a3b48b78c9c396afd336b2f7b115ee93c5f0dd1dfabcadb111d2928781e6c51d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D91FAD7AD7DE45FA94A812E7F6DAECE3
Filesize
346B

MD5
c3c18ebb8a80dabd3ebf0d1919b6bef4

SHA1
25a8584ed780b0f6dc849794809e4b23b5091924

SHA256
50c6171aaf2addd7582ed5f2af88bfd42b7a3c6a6f76e9df2ee3ce764e0e7472

SHA512
7426b4f9a20de2df81c9edf534d27d76a8ea7223ee4dac953bb4e4a04bd915790cc4b7f0df41fd704279417aa7bc6dd7bb9c104f51bcfeb995ae1d99010cdff9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
0f928e2c1fda2dd38f59f4890516e9d0

SHA1
46e6bc971a92fe69cb66255306be07411d08da3c

SHA256
06b05da2b5d5c98f7f338ec17bfcc2866996c10ec6d549442b77534b0ce84f73

SHA512
98c89d7a004dacd5444a4624589a1b39c4b9cd21a4e667411d55c04e19f201d2578736b9ed987c282138ca648b33112f70eb3cd35ed124700e5a7f6afbd5456b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
192B

MD5
7b431fa3d5685408495482f926ba818a

SHA1
c568619b8160fed4e6d5cbf1b9fc6fd0c6a31008

SHA256
982936949e326ded8eb3795b8c360b2625de1d2a3e6e6729730840f533bde88b

SHA512
bacac901e4714fb566615b4232566e82ac5a29b9f064aea12b30a4167f5956ed00a0566a60e814640d2ad98b7a09e47e569a911b4198cc047324c62e7a62205c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
416B

MD5
21348cc81a9e27619e16ba00bcbfe1ed

SHA1
532a35b4f021ae411095af25c42ef92904ee1777

SHA256
4c28312d8951a37d36f322c1895af6a385538cd93f3916a4f5573a94caf8a350

SHA512
ed0f4cafb1893750eb72542ec9eff08332fdb0a1432e362db81add6814b3ac4d57f3bc14f0e4695b7ac04b0f30044dcf64f8500ed0204444571269c99669d16b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
3f1864801ac3673f5306d5b262eecd24

SHA1
4b8796b41860665724efba7b9c88859183d623ad

SHA256
4a4f0273e191ee7a445771eb8e24301f2f744be534d20b99ec1f17e092e9e259

SHA512
6420e089cb1a6c87d0247c0effd3cb78aa0ae8e9ea64bf9095b1d5b18aa11e06fa20399a3c1dda25e709eafb97ad1ef99aeb117cf2cb2750e2b4bccccfc8c674

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D91FAD7AD7DE45FA94A812E7F6DAECE3
Filesize
544B

MD5
0fe1e06e809460af43a5d736eeb1a02c

SHA1
a0f44ab2316e8c7c4cbe623fae83143f1f9a6dc3

SHA256
d2b5b4abcee7f5bb376b852db17bf0a3559be681b16f25c00005c54f31fc043f

SHA512
ed1f82ddb3ab08fa9a81d4dd1dbdf6c9410093a824634d1a6820aeb7d40124ed41323005990db75012f68077cadfdc74f260bdc2611537ef4019de8feca4edca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_5104_COSZUSEDRRIAFGPA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5664-135-0x0000000000000000-mapping.dmp

Download
memory/5764-136-0x0000000000000000-mapping.dmp

Download
memory/6004-145-0x0000000000000000-mapping.dmp

Download