hxxps://remitbazaar[.]com/wen?&qrc=m[.]anastasov@bette[.]de

Resubmissions

30-11-2022 11:07

221130-m75hxaeb89 8

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://remitbazaar.com/wen?&qrc=m.anastasov@bette.de

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9449A444-70A7-11ED-B696-D2D0017C8629} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376575068"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038323e02d470a64cacf37b4f7b783e20000000000200000000001066000000010000200000009787ee654a640dc6550c7656dbc3508785fb586223b649da0477155e54c25cf7000000000e80000000020000200000008c3e008e2e4e1e56ebed2909ff55601014bc6fcc10d58aa5a9ac2d91610c85c220000000f5eac314ab53e22de17d99612009f28fa65b58d0f28acacd6c8f40b9ad4b7ba440000000383602181fd622c5745fda8a0338e88a2081139ec66e04c0cb879ec26d5ff529864b5f29855d0bef7f20855583679bcfbfe2ff0f84c68012263af67079db9c55	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0aa9e86b404d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ff1886b404d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038323e02d470a64cacf37b4f7b783e20000000000200000000001066000000010000200000008094825859e9cbab39dc2ed60c4b45a1facf1abb5a868769ac047f36ec9e0fe7000000000e80000000020000200000005b0d9bfe74dbcb5051174b9d6f8b0457add35c7f22118577abd9c3598eff22fa20000000ad26fb213b40b046c3413654ef0c9371db9629dbd7a7306a128126604e24e6a2400000004c0dd3274079374bc5348aee6c047ba5d182f5004bd4ff6a4b0aa13c551b1be071a41f3331a0ba42b2abb5fce91ce794ec950b004f2e2570378ac53d45b9f390	iexplore.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
2204	chrome.exe
2204	chrome.exe
948	chrome.exe
948	chrome.exe
676	chrome.exe
676	chrome.exe
4852	chrome.exe
4852	chrome.exe
2280	chrome.exe
2280	chrome.exe
2648	chrome.exe
2648	chrome.exe
4316	chrome.exe
4316	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

948 chrome.exe
948 chrome.exe
948 chrome.exe
948 chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

iexplore.exechrome.exe

pid	process
3836	iexplore.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe
948	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3836 iexplore.exe
3836 iexplore.exe
2180 IEXPLORE.EXE
2180 IEXPLORE.EXE
2180 IEXPLORE.EXE
2180 IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 3836 wrote to memory of 2180	3836	iexplore.exe	IEXPLORE.EXE
PID 3836 wrote to memory of 2180	3836	iexplore.exe	IEXPLORE.EXE
PID 3836 wrote to memory of 2180	3836	iexplore.exe	IEXPLORE.EXE
PID 948 wrote to memory of 2220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 2220	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3100	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 2204	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 2204	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe
PID 948 wrote to memory of 3748	948	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://remitbazaar.com/wen?&qrc=m.anastasov@bette.de
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3836

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3836 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc87a64f50,0x7ffc87a64f60,0x7ffc87a64f70
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1612 /prefetch:2
2⤵
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1996 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 /prefetch:8
2⤵
PID:3748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1
2⤵
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
2⤵
PID:3992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3964 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4456 /prefetch:8
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:8
2⤵
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4564 /prefetch:8
2⤵
PID:1896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5280 /prefetch:8
2⤵
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5076 /prefetch:8
2⤵
PID:3560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4992 /prefetch:8
2⤵
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:8
2⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1528 /prefetch:8
2⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,18272819715244139225,909062995195296577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
5138a22c0c4156c1b2f9ad291e3cadc6

SHA1
2246262c5c8c94d242129415349e344744f38a07

SHA256
581b947db93287c18ce5cffd2d2c517153199f68c9fb1696842fb4a710270778

SHA512
68fe54c4c666d4a75e1319056e8103da610553a1b68876a40ebdca1f5dd6527358bcae40458ec0ec3532071f08f33eeefe6e9d95b2a4153c1bead6b9780f0858

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_5C379F3600DE745720AF61433A9796B2
Filesize
472B

MD5
608e4d04a251ebcd51660e801f388303

SHA1
fcb9aa48fd6ed504a1a9fed7990c5ccde63e6a1d

SHA256
cc1a34cd0a99e301df97cf184ab0ded2e229659f86f43e4eff479dee221695dc

SHA512
6bf5788982bacca8c9a9b596a6fb719e0707d26e966c83a4e668766dd55e08a1ccba61ec691392e863d4e8a354b308351ca45c42df9abb4a3e51f3164f3e1b8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_DD5E18651A85E635F184F73BE6D3DB70
Filesize
472B

MD5
146dac10a93604a686550631e14eefb9

SHA1
b4af601ce6d515d9ec124938ce626060e0d43099

SHA256
bac5bc94c1a95af45522dadbf1639aff31e691fa2314314c6cce1ab1e70bba87

SHA512
3650738b90df8b212f9380437417081bb911a605839b846aeaa7aef139bb010a54bddab4e61ed946bea230de7423965ff2c7d30e92e5618f5aa9e84da1f60e97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
896d4bf023d722f096a71a31bed2d3ca

SHA1
d118aa5f8b0c7cfce040fc80f229459825eb431e

SHA256
02c588bc26521cd106a5764a10d886a1cf5835d6c117cc1262ce212445f5bb20

SHA512
343beecfba44997a0a142646a24c1b08944ec6b2eec9bba19b8c93fda5a587e347cee200a2d6f0acb7b2db69e6e608267ef2c867afc464b6e8612ac4f80f2393

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_5C379F3600DE745720AF61433A9796B2
Filesize
410B

MD5
d35eb50bc9d82cfdbac0a1775ad414ca

SHA1
47abc82cb9b2aa6ca9c7d935791a9b51b8b4ea16

SHA256
fb522acaaa6298d5f6dbc63ec0fa2c50f36bb3d5d87144e024acb75517e7e13c

SHA512
dc394383f597d57ba80f6714b7e7ccb0231610a6071150525da482f55c7a457a5b11b09088c23b34d403c75c494167de0479a710481763a6b521f4a4f23b392b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
383e288c92a819d670493406fd7e8c6f

SHA1
3ff5a979193802e685c929ab21e8f4cc2f229086

SHA256
42120149f1885ee153d4ff1ad454be5f3a133fe4e017da909a0b9084a564f0f6

SHA512
732a7e90b6ff72679df23bce09c33fbe8614440120dc04da4776098b95dbbe07487d4da0d324a37a9af5b550ae90114028edc236599578a9c8e7620db18aa701

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_DD5E18651A85E635F184F73BE6D3DB70
Filesize
406B

MD5
545376aa27a355ef3ec5ead83cad8caa

SHA1
44b2d693572ac1dd5035398018107562a013ce1a

SHA256
24e27231ea3a64c2a49c622dbae5596281be57fcad7b4d642d7504ad62727ce6

SHA512
abfa5ec75ff2c100ea8f9b1557c1f83dbd41e7e8f542acf495d8631cef9237e7225ba3b00427c9176be374bd51c8780d86d0abf59bf05fd4393078a6504b299f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_948_KGKCHSZIYNOEABYT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit