hxxp://www[.]royalgames[.]com/games/action-games/hoopdeloop-html5/index[.]html

General

Target

http://www.royalgames.com/games/action-games/hoopdeloop-html5/index.html

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5736 3680 WerFault.exe

pid	pid_target	process	target process
5736	3680	WerFault.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeSearchApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 9 IoCs

Processes:

SearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4112	chrome.exe
4112	chrome.exe
2120	chrome.exe
2120	chrome.exe
1168	chrome.exe
1168	chrome.exe
4348	chrome.exe
4348	chrome.exe
5920	chrome.exe
5920	chrome.exe
4860	chrome.exe
4860	chrome.exe
5508	chrome.exe
5508	chrome.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
4548
5952
5376
3844
1392
708
3280
4308
216
1072
4820
2012
3604
1944
1416
2156
2912
4228
3536
5828
6000
5140
1816
4344
5008
6100
956
5652
5664
5288
5428
3508
3568
3616
3620
4644
3804
3828
3840
3876
3888
3916
3520
3784
4044
4640
5448
4360
4932
5472
5932
5956
5964
5924
5920
5292
5500
5280
5424
4860
3504
1332
2116
5620

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 1532 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 1532 AUDIODG.EXE

description	pid	process
Token: 33	1532	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1532	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exe

pid	process
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SearchApp.exeLogonUI.exe

pid process

5584 SearchApp.exe
5656 LogonUI.exe

pid	process
5584	SearchApp.exe
5656	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2120 wrote to memory of 3180	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3180	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1108	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 4112	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 4112	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3484	2120	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.royalgames.com/games/action-games/hoopdeloop-html5/index.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff263d4f50,0x7fff263d4f60,0x7fff263d4f70
2⤵
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1656 /prefetch:2
2⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1932 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:8
2⤵
PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
2⤵
PID:448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4368 /prefetch:8
2⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4344 /prefetch:8
2⤵
PID:1056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4316 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5020 /prefetch:8
2⤵
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:8
2⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4944 /prefetch:8
2⤵
PID:3608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
2⤵
PID:524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4144 /prefetch:8
2⤵
PID:5880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4548 /prefetch:8
2⤵
PID:5968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
2⤵
PID:6008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
2⤵
PID:6064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2616 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
2⤵
PID:5424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,287326623187932760,11869639818553824886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4228 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4356

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8 0x3d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3680 -ip 3680
1⤵
PID:5712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3680 -s 1092
1⤵
- Program crash
PID:5736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5584

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3984055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_2120_NAAACZUECVJFFHXJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads