hxxps://mega[.]nz/folder/xYhnUITK#qfMAsvlv2F1B16ttLNFQww

Analysis

max time kernel
155s
max time network
170s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-02-2023 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/xYhnUITK#qfMAsvlv2F1B16ttLNFQww

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da0000000002000000000010660000000100002000000072635c71e29cb721994599a92fefd0599c71c0a36e5d6ca1fe6c15eef9582a87000000000e8000000002000020000000c270ba7571a0ca5dd95ff4be6f05a3c61db26f2495dc7afb5600cd9840c2215b90000000ab1e5d93a0d9f099aaed728aaab3eb2da78aa686b6e2e9e2cf5c09aa7ae9779ede85d328dd5ac5a32a32ce4d0214705478bd4e34c4789be0738934d79c8596f441dca05be83f6556d33f1e1ecaee4b9eef33f884fa9efce4547a7164ab1f42445655812f4dabd67dbd41de56b053993d0e86440909601ead433c36ef7d6893c7cef9d5a68254479871a86a397bba434d400000004bab8a7f63a204253ef5aa5d43d2528a3c4e40ffca5190734206c81628add5f9cad02cc1d092f7ab29fbd871a3f003c159ab2b14c23defa2b55e6277af3b658a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\mega.nz\Total = "46"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{44DE6B91-A3FD-11ED-9D71-7AAB9C3024C2} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "46"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 200fff3b0a38d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\mega.nz	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\mega.nz\ = "46"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000d13063bb40be6f68b5e8f91be22f7854433c44008a3235c33584b0785fa6cfd9000000000e80000000020000200000007b96baa704d313a76cee7dbf62225a23b6d8148adda5e5329ccebd15ff5ef3842000000041c556a4d37a482a2d8895fa4b7af16841c6e334193b2f7ef4c54dbf5f1513db400000005572f9fc5d24cdeef9cf274ac9e51b4f02e8f6be647895dbcf96f586b01b4ecb043910570ce1c371e343db8fe29471a286062dfd05bf820cbb4b64f295eaf901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\mega.nz\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382219375"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{44DE6B93-A3FD-11ED-9D71-7AAB9C3024C2}.dat = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2004	chrome.exe
1576	chrome.exe
1576	chrome.exe
2600	chrome.exe
2600	chrome.exe
2768	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2008	iexplore.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2008	iexplore.exe
2008	iexplore.exe
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1160	2008	iexplore.exe	29
PID 2008 wrote to memory of 1160	2008	iexplore.exe	29
PID 2008 wrote to memory of 1160	2008	iexplore.exe	29
PID 2008 wrote to memory of 1160	2008	iexplore.exe	29
PID 1576 wrote to memory of 1036	1576	chrome.exe	32
PID 1576 wrote to memory of 1036	1576	chrome.exe	32
PID 1576 wrote to memory of 1036	1576	chrome.exe	32
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 1632	1576	chrome.exe	33
PID 1576 wrote to memory of 2004	1576	chrome.exe	34
PID 1576 wrote to memory of 2004	1576	chrome.exe	34
PID 1576 wrote to memory of 2004	1576	chrome.exe	34
PID 1576 wrote to memory of 1932	1576	chrome.exe	35
PID 1576 wrote to memory of 1932	1576	chrome.exe	35
PID 1576 wrote to memory of 1932	1576	chrome.exe	35
PID 1576 wrote to memory of 1932	1576	chrome.exe	35
PID 1576 wrote to memory of 1932	1576	chrome.exe	35
PID 1576 wrote to memory of 1932	1576	chrome.exe	35
PID 1576 wrote to memory of 1932	1576	chrome.exe	35
PID 1576 wrote to memory of 1932	1576	chrome.exe	35
PID 1576 wrote to memory of 1932	1576	chrome.exe	35
PID 1576 wrote to memory of 1932	1576	chrome.exe	35
PID 1576 wrote to memory of 1932	1576	chrome.exe	35
PID 1576 wrote to memory of 1932	1576	chrome.exe	35
PID 1576 wrote to memory of 1932	1576	chrome.exe	35

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://mega.nz/folder/xYhnUITK#qfMAsvlv2F1B16ttLNFQww
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fc4f50,0x7fef6fc4f60,0x7fef6fc4f70
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1068,4785646118874801335,15361348169159549712,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1124 /prefetch:2
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1068,4785646118874801335,15361348169159549712,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1068,4785646118874801335,15361348169159549712,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1764 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1068,4785646118874801335,15361348169159549712,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1068,4785646118874801335,15361348169159549712,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2148 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1068,4785646118874801335,15361348169159549712,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fc4f50,0x7fef6fc4f60,0x7fef6fc4f70
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1012,9716154164237760028,5619267821651283223,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1044 /prefetch:2
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1012,9716154164237760028,5619267821651283223,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1264 /prefetch:8
  2⤵
  PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fc4f50,0x7fef6fc4f60,0x7fef6fc4f70
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1036,16894092534077302186,4981674054044343184,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1104 /prefetch:2
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1036,16894092534077302186,4981674054044343184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1748 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1036,16894092534077302186,4981674054044343184,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,16894092534077302186,4981674054044343184,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,16894092534077302186,4981674054044343184,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1036,16894092534077302186,4981674054044343184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:3068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6b72e2021b49af2412efb6148358926b

SHA1
87b16e38f33f8e1fa9ee5b1f394b25f48db8e0ed

SHA256
32c29d7f689236ac717a4c4e51e9fc376e42d05c2f74c7f16b228088573a13ce

SHA512
03553f81a3c2388caf3c61d929ec257d846f261e8b474352bc417d585de48d80711bf19f34cecabe294fbe04fd096c743e2f74dc3978e7b23e8982211f1d03a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6af6ce211c2ab59fccfacb95b2a2ac48

SHA1
1d384947dcac567774034a8c0354fe10f1eb3b31

SHA256
db6b2effffc703723197d276bbe9dce9a6ad16b47cc12d61f7bfea0be88a7bd4

SHA512
8c4e58c9140e41dc243b9d168163da939691e6bdff1b8963f4dd04f0a73f38e0eedb285eca230a1cf24f547bda648a3b30ff2843b10138b95fba35dd7bb162ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6af6ce211c2ab59fccfacb95b2a2ac48

SHA1
1d384947dcac567774034a8c0354fe10f1eb3b31

SHA256
db6b2effffc703723197d276bbe9dce9a6ad16b47cc12d61f7bfea0be88a7bd4

SHA512
8c4e58c9140e41dc243b9d168163da939691e6bdff1b8963f4dd04f0a73f38e0eedb285eca230a1cf24f547bda648a3b30ff2843b10138b95fba35dd7bb162ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1

Filesize
264KB

MD5
0283b862b4e3ff4f69164c3ce35b082e

SHA1
7cc232acb97868a6ae811292c90c33e2d160eb87

SHA256
c2ac5ef43cec7ce9ba84732d93626092149c6fae419ce80bf59954069cc1508c

SHA512
beccb22e9790bd3e1618b243883a3f7d84d5469b31d88dcbe876ce5d6b1eb0248bb67819e4960573fcdc24bee9f2cd8f83f03063ba0aa099f2e1e4dbee41475f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG

Filesize
331B

MD5
fc96bfa10cd87024d389e7f0aa08694a

SHA1
984a5ba9f6c0924b6d6861f08969ed6d7a5739b5

SHA256
58252f794147b45079d2c6f54486e4e5ebbfb8d343ab5ec4f5c6ea98db177b2a

SHA512
c46f8296bf886475b915f961ef6e41341bacd4802e5d46c24b283c486d3f6e6dd417801c8423318546dc5ef572530a4ce232d1d76527aa87581d56d81bf10d9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a08c7e8f75a50480e7c235a61a0615d6

SHA1
72cb999096e431822ca5dfd09f2eb6f446db18d7

SHA256
52995c1ea2d2ac25d543870a918e8ed0de7e9c7bbfbed9a4d7d5ceed2facb2ba

SHA512
1ac3f5732e70e9dbe5fff9b4b826ced65b292693898156e54fd170c01dc763df141f13ec2d841c89fd740e832f209fb896e81e110532c3c06665820715e902f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1d937270439d268f28c1ba0c3cd2d7a9

SHA1
bf0c09c5c6786dc94bea826a1f3bfe55091b58b1

SHA256
208f7b31841afff620b4ea44c669de60238c699986e2a0f824ba3412b566d566

SHA512
34b5a059c860f433413af205bb97662e6bf7efba89983fdeecdad9cfbf8c8cb54bb0387f636d81dcb4f14186dc205cd5b02325d324093269503d11300d583586

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13319928036041600

Filesize
669B

MD5
dd08eae92102ede138cd19d3426e790d

SHA1
4f07b9944618825cb6700b9d25855de31cd05c28

SHA256
130234e6656074a0bb03ffe7c604cce8e17332ac5f92c148bfc6007484dc27ee

SHA512
3d2d66e8c70c593ea6e7824ba927889b29dd40bbda5be04228c489b77dec9ae424b2fce8664325e36960c19b31450e13407438fea644c05e1bbfde5819bea5b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
2a8cebd097c6b865b596af079e4e2eb6

SHA1
3cea1f2e2da743cbe5d3dc1a1747192843cfc525

SHA256
709ed8a9521d4d4cf20605fee2a462d7de395e81a1d586a4d2f10ab972d130bc

SHA512
8c1ed98c1eb257220c681adb60430d9d500f1165019e5e54b85a0c27f274eccafd86ea1357aab7b963c669dc894d42c79bbc2b7b5286b7a447d09a6bfc1f4e9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
160B

MD5
de92ad90be6d3364745b2f73f4c3cf73

SHA1
9158681463bd30e5af4dda4baac81f93cedbda77

SHA256
0025a3e0d3b834401b3b5f820e1991ef7e810d9a4b8b6b579e6301c94e7031a0

SHA512
9e81cefc195439439f4b23ee7696309d7bc3c08e5b444d2abde26d2f12b2d3bcfd124fb9a2d40c6389e9f787741676fad366a2e9982674e7b931028c014d8a79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
3c14365fbbc7f2703fa7a2d09fd7931d

SHA1
fb3d1e17e64cf29623cbb95aa4174ecd18b057cd

SHA256
02c8a175c1cbfb940e97a69c258968037808f2dd76d7ddd591242f4af0facc8b

SHA512
a60a14570b43e2deb6c0307cc3cbc973f890db7bd0c61af198d7b2cb2ddc0952acbb8003cc2b9005eaa932e0ad0a87359c1c17a28d017f76137619e1332a2738

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
13B

MD5
b63048c4e7e52c52053d25da30d9c5ab

SHA1
679a44d402f5ec24605719e06459f5a707989187

SHA256
389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1

SHA512
e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
110KB

MD5
132cae3b2b827c33db63f7e2f8cd4fcb

SHA1
2799da38bf881ac0ce805419fdedbd667dc31e51

SHA256
cc4d8c16d9aeb0bfd8ed30370594e70d9469016f896d7c6cfcd8db04363a4ed5

SHA512
561d7232dd7427cf4cd25f4bf641ce5f5c9c075fa9973a83f0d30750d4fbdb9633ae5db4fae92aa4bf73304215291a29804d9750c6b9e2e2c7e7d2010d5a32db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
110KB

MD5
ce1ec557c044adf37bedc46b3829a43f

SHA1
71f9ea19854d76c4f81c1b81985e11e5d5b0d7cc

SHA256
c69addf65e975b078dbb757125c490c896bda2e75cf60bce4c5509c77784d201

SHA512
8b5b513b3e452d946b592d7757b7a6570f1adba10b5d494848ab919dd47d8d7c89359077e155e1f9aa4e36eadbc4e7166f7c58e6927363fcb88ea1449ebf8fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
110KB

MD5
132cae3b2b827c33db63f7e2f8cd4fcb

SHA1
2799da38bf881ac0ce805419fdedbd667dc31e51

SHA256
cc4d8c16d9aeb0bfd8ed30370594e70d9469016f896d7c6cfcd8db04363a4ed5

SHA512
561d7232dd7427cf4cd25f4bf641ce5f5c9c075fa9973a83f0d30750d4fbdb9633ae5db4fae92aa4bf73304215291a29804d9750c6b9e2e2c7e7d2010d5a32db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt

Filesize
6B

MD5
c42ab3bdddfa85f5c69f69966ff71fd9

SHA1
6e4e4a60c7f7854f7b6943cfc3e51e3792fd1e96

SHA256
01424d078c56227b8968ee57ebb7f8fb5974a332bae756b916a1c32f60d7c5b1

SHA512
185dc870ec7028dc411f522af2d7f2a87c20ab7fd255cd7439caddb0448db777e0bb8c1475ee968a98b65ed69de4804fdbe829c64440b3b6fa2d1bf53467ca25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

Filesize
6KB

MD5
e0d486eb7e6d0fb7b192f8c34b9b96e8

SHA1
b63068631a096bd2f220b65a437cd58dd3c7b91d

SHA256
c5236c6556eeaa61f7e6b225b5f9bda5e09a93f60dec534f33686fef482fbbfc

SHA512
4c680306ccc8e68159162154909b1c0f3d317dbb3e54202b45203759f7fb3a1015e9cc42468df8d712b587b30d0c3e67e8f62c3ec7cd221ee4444816230b1f72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VO6ZOEGG.txt

Filesize
601B

MD5
af7e6bfb915d78afa9a7b2b871c288c6

SHA1
a3eeb7116ad75ebbcb272f9f4bd9e9bde3bf6718

SHA256
521da900a39e83d0128f9fd0d745a98b64be763a7d3aba060f33358f5e2c36dc

SHA512
772be2aaf7eabc996a805936022ecd1d384cb84b5c359f328282cab9285b39b6c5d9222e7a135e3ecde637a20451f49ade33ea44b37b187c3bb3138f6b6fe1ff

Download Submit