hxxp://192[.]3[.]136[.]186/pakins11[.]exe

General

Target

http://192.3.136.186/pakins11.exe

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d87ece22ffd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375962738"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3429264563"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998306"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000b96a7d84ee484b0b7297cf89ce2b59be61ca442c96741c13053b790d7b59c255000000000e80000000020000200000005b86173f8e48b475127aadd7ef17fbe61c8fcbe6ebeff3e9d4c8fbeb643a849520000000974cf2d180608bd62ab92a56808b4d6ab38816896abe138e29c6264a1e36d705400000000a0b73038c490d8e4a392b2adc51ce4ba5473a1365bb839625363335611b76dff56782f47fa1d866a49e3e7e8facbf89318e8d83fff91458a179a32d747b65f7	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F7C6033A-6B15-11ED-A0EE-C65219BF0A09} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3429264563"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998306"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3449732135"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998306"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 600fdece22ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d79060000000002000000000010660000000100002000000003e44f8c3601b6f45f1a5d77941c0fdaae7ee49ae07e58087090eb9eaeeea4d9000000000e80000000020000200000003d51147400bf8e434b9b414e122685c412d6530de7904d964e66dab294e7757120000000bc3ab5a80559bb0636b437db5421fe4ee1cc748f8c003ade3e0a53d074c04da54000000026f495ffa9346a0e85f8b23e5f35d7f9a3552dc503f808929050f59a4ddb6975e0954d30822f0c773a3f72f2d3b5f7ed702680db769be5bbef16267c79906df8	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exe

pid process

3984 chrome.exe
3984 chrome.exe
384 chrome.exe
384 chrome.exe
5272 chrome.exe
5272 chrome.exe
5436 chrome.exe
5436 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4628 iexplore.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

384 chrome.exe
384 chrome.exe
384 chrome.exe
384 chrome.exe
384 chrome.exe

pid	process
3984	chrome.exe
3984	chrome.exe
384	chrome.exe
384	chrome.exe
5272	chrome.exe
5272	chrome.exe
5436	chrome.exe
5436	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

iexplore.exechrome.exe

pid	process
4628	iexplore.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe
384	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4628 iexplore.exe
4628 iexplore.exe
3804 IEXPLORE.EXE
3804 IEXPLORE.EXE
3804 IEXPLORE.EXE
3804 IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 4628 wrote to memory of 3804	4628	iexplore.exe	IEXPLORE.EXE
PID 4628 wrote to memory of 3804	4628	iexplore.exe	IEXPLORE.EXE
PID 4628 wrote to memory of 3804	4628	iexplore.exe	IEXPLORE.EXE
PID 384 wrote to memory of 2740	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 2740	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 5024	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3984	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3984	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe
PID 384 wrote to memory of 3236	384	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://192.3.136.186/pakins11.exe
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4628 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca8654f50,0x7ffca8654f60,0x7ffca8654f70
2⤵
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1636 /prefetch:2
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1860 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 /prefetch:8
2⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
2⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
2⤵
PID:3756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
2⤵
PID:5152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4484 /prefetch:8
2⤵
PID:5228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4480 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:8
2⤵
PID:5324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4452 /prefetch:8
2⤵
PID:5332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5136 /prefetch:8
2⤵
PID:5404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5192 /prefetch:8
2⤵
PID:5452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5272 /prefetch:8
2⤵
PID:5512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:8
2⤵
PID:5544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
2⤵
PID:5584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,12826739062479264151,17404248577678071921,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
2⤵
PID:5728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
e32d02ce684c01ef3af05fae9066160e

SHA1
29c7a6e8ed553ac2765634265d1db041d6d422ec

SHA256
b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

SHA512
e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
aa6bbccfaa47dd4a0795c7c55b8bd7f5

SHA1
ab56fbd4eb872e9c2f6126652baeb342705fb83f

SHA256
1a8967f8f9272009c7f468c4c3bff39226ba013f189c5bf32a6a7c96fba4f3cb

SHA512
0ca450b3d42dac621e8825c7ed7664e6bbd23ce7567f77bae2fb29a2f9132ae531830e5b887ee27f6d3cf31c5a1c415c9b5252a7a45149df158ad20eba3545b3

Download Submit
\??\pipe\crashpad_384_IBOAYFYDRVHSIEKE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads