hxxps://befam[.]life/

Analysis

max time kernel
113s
max time network
117s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://befam.life/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://befam.life/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = b04d4019ca03d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{45F77221-6FBD-11ED-AE24-CE372EDB0509} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376474399"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1468	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2028	iexplore.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2028	iexplore.exe
2028	iexplore.exe
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1712	2028	iexplore.exe	28
PID 2028 wrote to memory of 1712	2028	iexplore.exe	28
PID 2028 wrote to memory of 1712	2028	iexplore.exe	28
PID 2028 wrote to memory of 1712	2028	iexplore.exe	28
PID 1952 wrote to memory of 1096	1952	chrome.exe	31
PID 1952 wrote to memory of 1096	1952	chrome.exe	31
PID 1952 wrote to memory of 1096	1952	chrome.exe	31
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1820	1952	chrome.exe	32
PID 1952 wrote to memory of 1468	1952	chrome.exe	33
PID 1952 wrote to memory of 1468	1952	chrome.exe	33
PID 1952 wrote to memory of 1468	1952	chrome.exe	33
PID 1952 wrote to memory of 1620	1952	chrome.exe	34
PID 1952 wrote to memory of 1620	1952	chrome.exe	34
PID 1952 wrote to memory of 1620	1952	chrome.exe	34
PID 1952 wrote to memory of 1620	1952	chrome.exe	34
PID 1952 wrote to memory of 1620	1952	chrome.exe	34
PID 1952 wrote to memory of 1620	1952	chrome.exe	34
PID 1952 wrote to memory of 1620	1952	chrome.exe	34
PID 1952 wrote to memory of 1620	1952	chrome.exe	34
PID 1952 wrote to memory of 1620	1952	chrome.exe	34
PID 1952 wrote to memory of 1620	1952	chrome.exe	34
PID 1952 wrote to memory of 1620	1952	chrome.exe	34
PID 1952 wrote to memory of 1620	1952	chrome.exe	34
PID 1952 wrote to memory of 1620	1952	chrome.exe	34

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://befam.life/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6504f50,0x7fef6504f60,0x7fef6504f70
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1104,17310568218205180465,4791097618786175940,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1116 /prefetch:2
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1104,17310568218205180465,4791097618786175940,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1104,17310568218205180465,4791097618786175940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1808 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,17310568218205180465,4791097618786175940,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,17310568218205180465,4791097618786175940,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:1
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,17310568218205180465,4791097618786175940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1104,17310568218205180465,4791097618786175940,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3280 /prefetch:2
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,17310568218205180465,4791097618786175940,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,17310568218205180465,4791097618786175940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3680 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,17310568218205180465,4791097618786175940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3624 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,17310568218205180465,4791097618786175940,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,17310568218205180465,4791097618786175940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=544 /prefetch:8
  2⤵
  PID:2604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B031BDBA024F1997D1AF00598A8067BF

Filesize
503B

MD5
3c493d30d3381473ed7bdf4bcbcd5f6f

SHA1
7ecbd6abcd1eb238910ecaa6e40fdc70f77afe99

SHA256
7611e687703a39a91c45a11db12d2367fe216e3c266aaef5680d042366b11cb8

SHA512
23480918bf0d445b0b5bc3d254d1175f6b915c4e1e29d27017a1689897f86a6351a52874c54a5b3cfc99855eb1f0c440a47a582c58d4f103f33e10923a14de61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
620e58a97d23d18726a33d7b19a1bb32

SHA1
ea561a7bd1ca23b08435246eee1b4cf59f0695ea

SHA256
609bbf25733c25af677b76bb261eb59e427c78e46f5e45c51e5e1c46916bf387

SHA512
7fff769aabe37aca2918fa2f8278c88fd4db2e1d753459ab13965e2a028a35aec5c34f006afa0cb1cc0c48c83c9f7bf3ba484fd602d3ffad1ac7e1aa4274088a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89a3d8db92391e7a06f83ea1f2747f93

SHA1
f0fe562242fc6b8ea89d45280217db221e4ec50e

SHA256
57d065edc1951b2c8e2bfccf8fd73af998b301c0944d115f0e1e4e875c875a74

SHA512
b3685db3b4347ef41dc0f204c9dc9a59b45f7d90e84037d71f269fd70725904e53abd417cdf11de4205da54ef81cc7a8415e233a5fcfa95b4d3a1d6464f854c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56701efb1ac1d59c388ec06a9df3b57e

SHA1
033922c167b3dcff50c49348d1ec87cc3e5c34ef

SHA256
7e92852a6f5cfd133e583dce0db466d828d0bd41535af6a1ba0adda0d75b195d

SHA512
54d411acf31a7ff6eab6b186e0bf90ed221119777a9d4b850230bf915e9e9e34648101caff9a4095035dd76a51e921aa15e70b0e00134642505915fa1b30b870

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B031BDBA024F1997D1AF00598A8067BF

Filesize
552B

MD5
fd53010d3680770e5d81c145990d8dba

SHA1
0b6d42f2b6f1c96479f54c82dfda6c4bceb2f3f5

SHA256
52a4ffcdf461081fb2ca76716b6a3e276b16acbdc18cbb26d283330dbab766fb

SHA512
9dc3cf71ee8e03a307b11054274c3c55e0119f6127a2b7e80ab7fb699b42cec2a5079e1f267aa518d00b5161243456725316867e5d520d9b1f578ac2e03dfafb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
98627a12b0fe8498aadc3631b74b4722

SHA1
66fbb7f3b9ff6c74eaac30063db90a97a5f6cd15

SHA256
51759bfcc2f6a22caaed5f3ab0bd4a34ec8c55fe230f15e35182e9a176e7eaed

SHA512
35299762aa970ddf8ba3ae32019dc14b3fad7a545523dd89e53a68d2b400203ab48b777b1d68469319482832257533e2f008a8dc490e6547c7fc5f1cea7f4a51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
4KB

MD5
f01ea0939a288df4419c56a2761dff4e

SHA1
790f9e8a54878b87b95bd61d2a954b81c0d9b0db

SHA256
6a736c2160b39f401ce2efc828eeb6a4d49b2718341b2ce9a2273a20bc3ab516

SHA512
31b1b07edcbba363da76c527e493e5944eff69a744bfea4850fa2ba98a9d4d2bb84d032adae8a956fa2be505c884e01123549f17f6c2746fa0ecbf69efab1893

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RU2U7S5Q.txt

Filesize
603B

MD5
29086e7dcad435fd3e54a6fab91f76d9

SHA1
41be6b3da9fe4b6051c5bb35951fc1960c9a7793

SHA256
67a110e8741b7be30187245103312b168f8dbfd48ca8ea2624925f71c2c1fa35

SHA512
888b8ae93b7729d64de6e7572e596a962f466ae781a0b66501dc0140dc0841303bb4d82eb1486337403ab1e1176f467fd86d0fe69abe963d480efda34cbe1c5f

Download Submit