hxxps://www[.]google[.]com/url?q=hxxps://script[.]google[.]com/macros/s/AKfycbw1TZyZgyA--oSxHkkFgM0P3YdpACdYu90Q9l_fy3jH_9Ql-qU_OSpFS8BeTQ9agMCXLQ/exec&sa=D&source=docs&ust=1666793152733832&usg=AOvVaw1XgBjtf0jXC9SLz4DvgDmf

Analysis

max time kernel
300s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26/10/2022, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.com/url?q=https://script.google.com/macros/s/AKfycbw1TZyZgyA--oSxHkkFgM0P3YdpACdYu90Q9l_fy3jH_9Ql-qU_OSpFS8BeTQ9agMCXLQ/exec&sa=D&source=docs&ust=1666793152733832&usg=AOvVaw1XgBjtf0jXC9SLz4DvgDmf

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4960	1404	WerFault.exe	93

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373558641"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30992709"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7F1CCC64-5538-11ED-A0EE-E2272FE8D9C1} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30992709"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30992709"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000be0b724fe64ec9e0b66e4c3a386328f8dc5b76605db43d69f8a395710ab3efbe000000000e800000000200002000000010a8ad1a8184f49a6f51303ac1a4387354c6a1bc19c672c30c7e8fae207f1e9920000000f3654015d79e6b7dae72de209e2ef1ac11c65bf4d81f463baaabb05532952e5a4000000070c9ef9a993d8d27d33370e4f2c8626aced44d47c912ae404ef357d02146ab86f1d28cfb75341db2b02bb1fe548a7e0952d4af247b46b96d3c27d98f3cf14a9e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1403282813"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1403282813"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1412503679"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3069464445e9d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1312	chrome.exe
1312	chrome.exe
1980	chrome.exe
1980	chrome.exe
2216	chrome.exe
2216	chrome.exe
3872	chrome.exe
3872	chrome.exe
4232	chrome.exe
4232	chrome.exe
4508	chrome.exe
4508	chrome.exe
4652	chrome.exe
4652	chrome.exe
448	chrome.exe
448	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4964	iexplore.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4944	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4944	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4964	iexplore.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4964	iexplore.exe
4964	iexplore.exe
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 2308	4964	iexplore.exe	83
PID 4964 wrote to memory of 2308	4964	iexplore.exe	83
PID 4964 wrote to memory of 2308	4964	iexplore.exe	83
PID 1980 wrote to memory of 340	1980	chrome.exe	101
PID 1980 wrote to memory of 340	1980	chrome.exe	101
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 3868	1980	chrome.exe	103
PID 1980 wrote to memory of 1312	1980	chrome.exe	104
PID 1980 wrote to memory of 1312	1980	chrome.exe	104
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105
PID 1980 wrote to memory of 2972	1980	chrome.exe	105

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/url?q=https://script.google.com/macros/s/AKfycbw1TZyZgyA--oSxHkkFgM0P3YdpACdYu90Q9l_fy3jH_9Ql-qU_OSpFS8BeTQ9agMCXLQ/exec&sa=D&source=docs&ust=1666793152733832&usg=AOvVaw1XgBjtf0jXC9SLz4DvgDmf
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4964 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffab5344f50,0x7ffab5344f60,0x7ffab5344f70
  2⤵
  PID:340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1668 /prefetch:2
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2364 /prefetch:8
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2796 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5348 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,4939664665299259148,9544960972818525077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=920 /prefetch:8
  2⤵
  PID:3980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 1404 -ip 1404
1⤵
PID:4232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1404 -s 2244
1⤵
- Program crash
PID:4960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
d84bd16502f68cff1b6511813b0459f7

SHA1
0d59af380bc120977a7f261f958ce2e5e5adca41

SHA256
6f692d4aa2a1f3847515a43ada335a2ba73d81b7cedf27dc4a344e636b29da2b

SHA512
c4770785a4a9922fc08b9a861f458e6d4f8e488ccef3b32ad3351fc8705242a623007a3d500df0911553a3e97da6a90d7a0e32ed6c530d94cfb4192444105849

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_7987E17ED77D800093D5BF3096E78D98

Filesize
472B

MD5
3d56596917080475122c9bb51cc0c0b7

SHA1
d0294ac77866e801f6c94862b39bc00b9735d72f

SHA256
ae58a33a93b695e84e3cffd34c09c20ccb08f33b775f87dd849077d3fbdf36a7

SHA512
7cff95ce44d624454ba4a77e40fca79da0947a95855fe1fdad6d28e5e66ed4615d23d0fae327f90b7ea1bb300c093a6a84df93f69cfae18d5063fce0e270b625

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_7D7374C3BD488A38BC34DD9B008EDC62

Filesize
472B

MD5
130509513bc271340f20f1c556b2592a

SHA1
6fd8b0623344d4c06ecf4e0708eb51a37d79ed9d

SHA256
6a69bfbb5b21f5cfae366b21ab59426e78d51467926430c7bbf44d7f8ac704de

SHA512
483b65a5d8d1fb7a9b41dbc3e34d4bf802032a93207affd5df5bd19362f98cc5f6eb4f1076517eef9198d6287b3d1ae4b8e15564558b706e0f9bbc77e4b32d41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_F862C3EB33B6836476891A60FB9445B6

Filesize
472B

MD5
e4f7139b125683bac76c2b5638a1a643

SHA1
2f84ea7104d659754e5962f88f504a7189f6f914

SHA256
c9c550489201a92e8bbe162bca49d4aa6b21fa22b254a6a29502186423b3b579

SHA512
ece1aacccfa6deaa827cea395c017a7e2417b3a8a72c494280ba971de9b2f13adac9c3be909820f12653f547e39e047417c00cb510a75038e3aeea9b151c8ed6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
9ebd7a0345cc0e64adb3c109997a2c1a

SHA1
76ebba7d659452c2f3cd86b589dfd82fc73afddb

SHA256
43f974eae1ff849eb1ba9afc5c73ec9a5f1b32aa7c07c0f9124f9a320ac76ac5

SHA512
ebe08af1f17b7d31e388136734618c3a4f46433dca14bb95fa0cd8b7c80f543e09f42013d925bf7c872ab0ecd7d3b12a81f265bd6c486b189910722e052ed6fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_A49E2928C282F3D7B74BA1083F81B152

Filesize
472B

MD5
19132f29a8811a10f90eca2d81e5deb8

SHA1
3b9e0bbf9f40f46b57dad5567b008e58b5770565

SHA256
708aeab241760b108d60c1462b1979e59cf473242222e9270705ba70642b04f6

SHA512
1b4c85b059d748bc198da21c5cec7bd62cab71ea46943bd95d8e165b93ef06746466cbe3f3624d84a29ac78a4424b3ea1c06bec643d082a628f33d39e91c2181

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
4990f2fb7dcbb1b1a2fbe77f136813ba

SHA1
3c389207cf039b0d1bad24b0ddd6d600c8ff6b98

SHA256
53271927bc8a695f7c1c9b67e66ceb01a6e3bedfe011537ca4932f136d343dd0

SHA512
6d728799d82f4b138be7000039a40abccdad9a759e41c46c2579731bbe1fb98dddb16699822c96b767e24a76bd190538f4f8d03082b4bdbb8d58762426f5b69e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_7987E17ED77D800093D5BF3096E78D98

Filesize
406B

MD5
7834bb7aa8ae5d822f0003396e2a6d77

SHA1
b1354d4ea415dca1ea0fb8388f4e14e78de199fc

SHA256
30299acbeb37d5f40a30f17dc0b1ac23082eae20877544302791e4f7c164985d

SHA512
9ef2f9acd49a8d97cb21681e08d23ed6d0d5554634d2dbfbbdea4d126ddcc072b4698dbcd82c1d0535b7187e8e7e0cfab13fcc835e3a7e6fccec3c64357b4ee0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_7D7374C3BD488A38BC34DD9B008EDC62

Filesize
402B

MD5
9719deb7aba2d75090c86cf71d6a5c06

SHA1
742c159925dd543fc7f15a9c40874cec2b8602f8

SHA256
2340d770022cc25677356984de4a3c25730ad9c7938bc55c4e87ce2ed0cca1ed

SHA512
f9d956118f1f05a70c98f99d314339aecdd1099b6bdc89e1c0d980e136da8105e5d921789d436ee6f2fc3232c238e99dc747973c4368bffbe7805ebe74ad13ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_F862C3EB33B6836476891A60FB9445B6

Filesize
402B

MD5
cc0282b3de520204ce14500192ec137e

SHA1
2c0f4209acaa7029a901ccc3c2036a8fa9b4d1c7

SHA256
761d5c89797046ecef19882e6f9305fbf8cd4a15d014789abad1349fd168f75e

SHA512
f9eea94a3083b7b5dfcac23a014342071b84b0e860cd266195e4359a7476a066a4f675faa6e733d2fc9e449a571e1108e1f1ccbb1b9cdd4343514d055c478871

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
c6cbd7b5f42e0dfaa87c3cef0c96de9d

SHA1
54a4988c42fcf7b6b4258b329d09d2b525556f2c

SHA256
454c0c73a71320e16865787432027b82229c1ebc0579aa8a0960819762e63396

SHA512
12c1293ec41ad2f8c7bf2408437d05398ee24f33fc788169b3c2e6829fc52170c863d652278f9a3b00c548b76dae075e44585b7bc2b6d3f4a19ddbe81aa9d1bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_A49E2928C282F3D7B74BA1083F81B152

Filesize
402B

MD5
1fb2dbe23c27969e25f4259f2a853bf9

SHA1
7f52854a24b01977b2ca3da3960a746a121b2d6b

SHA256
48e411231c1042ce43141db570d240428576444081d44240fc053d2b9eb9bc23

SHA512
fc2c0700aa9ec9f3348a04b65a335a95f42b36c60d42695e26566b9ca4b37504f317b62a7353f4a7de683694d2c0151e3be397cb418980ebe02677ede46c2bf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
ae22954ac95b779329ef6a0cf6286e65

SHA1
c9ed5d1b9cb27759897eb63d114f2130c4b41677

SHA256
f6b57462c99406d21f095116d837a3771bc1df598d06d1f80870ed3a876647c6

SHA512
5a23afa2daa736804c3356475c1255116406fe90e55b74ba3141788ee4c962122aac6f4cddeba6ae136e71cd0db6487ff0f2ca80a41f74da268ee7542752e239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ckj4gk4\imagestore.dat

Filesize
5KB

MD5
39304797770022939abef149809b7b26

SHA1
66430d735f0cdab044ee835cec322cf52c4a62ff

SHA256
eeaa4b59a006660eb5aa967b3bd088030d53a0e8e2f25957d421f88bbde8a7c6

SHA512
d03cb28cea251234cbcbc01b8cb76ea102464098ffccc388f776846d907eab6a17f51562dee8445a0d901cf2dda0ba4b1fc4f0aa50ed7744b893f40ae3e48ac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ckj4gk4\imagestore.dat

Filesize
7KB

MD5
f038772f16140b72cf0e27a65158b181

SHA1
18ac33eca6ebe8719170e36192e92e092f7e11cb

SHA256
b5ee9be0307cc2d736bf8d108c75f1a527036df2dc2201926a38c230c5d0bd1e

SHA512
1185d1b5e0581e9a26257f600ed60bcb204dfc901f6475069aa656b952624b2e2e00e56eb15d4166b394dd2e93ea982d01c4e0b6f8641b4d074721948f465105

Download Submit