93709755621f17bb60d965996890bf06e7b89e84e1c9e01f52967a772b6c88fa

Analysis

max time kernel
219s
max time network
305s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/03/2023, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

☎️TELEPAIMENTS.js
Size

149B
MD5

5d8e2b03ee0035e6dbbecc2b782a2fa5
SHA1

c26fb2531794aa3010f20046d29ed16dfff7c9cd
SHA256

93709755621f17bb60d965996890bf06e7b89e84e1c9e01f52967a772b6c88fa
SHA512

dac6157c34dd242cc7533621e088b6d1e381aee35c1cafe5458257733e6ecc052fb110303f7ecb9f800c934cb0e91d2deb8f07aba8526d410034e932c9626a8b

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10c18933544cd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074b2d77a8e7a944ea7c282b9066208cc00000000020000000000106600000001000020000000d3b1f95c9df333bb9e2dc3126a58c78d71250d320e85d82435b0c51bbd856bb1000000000e8000000002000020000000301cd1ecf0dc3eb0d9802810b94493f6cc99b8fa6fde3cae4f100f7a47f54d1690000000517b1f5d1d61dae4bd6423782b4092b647ad9dc7cf59848eeffefa8514ebb57ca3d037aa0ae2b379f4174874a1a7f058659ffbe035c9144d74fffab151b0805ca27f770574b4da2f3bd49832ffe2852c9a8c50620b222abeffccdc054baf77b91f47da287d08e5ba2aac673a2b5b7aca7943146b0b1ea99508d863225ef3c70523f3f8871205322e09c1cfe6d4f0739040000000a88463a24046d31f57b561f16edcf0807c40e0c2519579d188b202938de3cb374e5b566b711427c991116f2f454af17a5223aba4ca885f0b4d047a87f6db12e9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074b2d77a8e7a944ea7c282b9066208cc00000000020000000000106600000001000020000000d150348a2f9d6db037b91ac766c95058c832a19e5d1e79ba899c51a9b9638fca000000000e8000000002000020000000c6ebbe503297f4a7aea4ecb2518947c143b55aba4f3cc3ad3c1a56b7380750792000000007cd4540c736323d1b50b429adef9fade307589e5d3767ac66a13c7a23ff4c8740000000abfdc843e94e4d47f64291cf07c2eb75307ab39e068602e87f2f270cbd5960cc26d73278ce462792286074cb8eeb71afca57ccca51b3f2800fca2985ec7ff45d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6988C811-B847-11ED-9EDA-E6D401764DCF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1348	rundll32.exe
1416	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1760	AUDIODG.EXE
Token: 33	1760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1760	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
816	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
816	iexplore.exe
816	iexplore.exe
336	IEXPLORE.EXE
336	IEXPLORE.EXE
336	IEXPLORE.EXE
336	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1780	1348	rundll32.exe	33
PID 1348 wrote to memory of 1780	1348	rundll32.exe	33
PID 1348 wrote to memory of 1780	1348	rundll32.exe	33
PID 1780 wrote to memory of 1592	1780	firefox.exe	34
PID 1780 wrote to memory of 1592	1780	firefox.exe	34
PID 1780 wrote to memory of 1592	1780	firefox.exe	34
PID 1780 wrote to memory of 1592	1780	firefox.exe	34
PID 1780 wrote to memory of 1592	1780	firefox.exe	34
PID 1780 wrote to memory of 1592	1780	firefox.exe	34
PID 1780 wrote to memory of 1592	1780	firefox.exe	34
PID 1780 wrote to memory of 1592	1780	firefox.exe	34
PID 1780 wrote to memory of 1592	1780	firefox.exe	34
PID 1780 wrote to memory of 1592	1780	firefox.exe	34
PID 1780 wrote to memory of 1592	1780	firefox.exe	34
PID 1780 wrote to memory of 1592	1780	firefox.exe	34
PID 1592 wrote to memory of 1712	1592	firefox.exe	35
PID 1592 wrote to memory of 1712	1592	firefox.exe	35
PID 1592 wrote to memory of 1712	1592	firefox.exe	35
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1592 wrote to memory of 1276	1592	firefox.exe	36
PID 1416 wrote to memory of 816	1416	rundll32.exe	38
PID 1416 wrote to memory of 816	1416	rundll32.exe	38

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\☎️TELEPAIMENTS.js
1⤵
PID:2032

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\☎️TELEPAIMENTS.js
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\☎️TELEPAIMENTS.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\☎️TELEPAIMENTS.js
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1592.0.1709451862\372485023" -parentBuildID 20221007134813 -prefsHandle 1192 -prefMapHandle 1172 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14ed48f4-b78a-4d90-a32a-a19f8a845740} 1592 "\\.\pipe\gecko-crash-server-pipe.1592" 1280 f417558 gpu
      4⤵
      PID:1712
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1592.1.1458426882\1118368668" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 21751 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {857eb43b-b09e-4d5c-99f6-cce096c4616a} 1592 "\\.\pipe\gecko-crash-server-pipe.1592" 1484 e73258 socket
      4⤵
      PID:1276

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\☎️TELEPAIMENTS.js
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\☎️TELEPAIMENTS.js
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:816
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:816 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef43c9758,0x7fef43c9768,0x7fef43c9778
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1380,i,7495454148298081884,2732043789334478659,131072 /prefetch:2
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1520 --field-trial-handle=1380,i,7495454148298081884,2732043789334478659,131072 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1460 --field-trial-handle=1380,i,7495454148298081884,2732043789334478659,131072 /prefetch:8
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2156 --field-trial-handle=1380,i,7495454148298081884,2732043789334478659,131072 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2180 --field-trial-handle=1380,i,7495454148298081884,2732043789334478659,131072 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1404 --field-trial-handle=1380,i,7495454148298081884,2732043789334478659,131072 /prefetch:2
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1048 --field-trial-handle=1380,i,7495454148298081884,2732043789334478659,131072 /prefetch:1
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1804 --field-trial-handle=1380,i,7495454148298081884,2732043789334478659,131072 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1364 --field-trial-handle=1380,i,7495454148298081884,2732043789334478659,131072 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3720 --field-trial-handle=1380,i,7495454148298081884,2732043789334478659,131072 /prefetch:1
  2⤵
  PID:2752

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8ca39a6430e666d41e42b61d8ed9c1f

SHA1
fe29924cebb4b9ee44c3bede04ed5c390be9d89b

SHA256
81b4299d151569e18dad562bfdad1049e1ec969b7f119bee08f0d0feca7efe7c

SHA512
93f77aacc28c4660b7875d49ba95557270512df126119dfdbda8cbe48c7db94949c2bc8e4f844de33441ede7862c626a00996808b4fa527106250d9e610486c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d91fd032e3c5e87837e94d2d065d7fc8

SHA1
19f6c5f827d283bc3da231a3030e0ef9aacc35f2

SHA256
94f0e9215c93d84f1f48e379893376c08896c7ac720149ae08a1f0188b0c9ca3

SHA512
4bc06a2df732413eb7d059dd7d02cdcd8d61ba9fe3cd1c23c9cfb1ee9e1c8fd16f82a45afd457156f6ad55e431c28b382e0f5ef647dc1e8b2badae32aecd99ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d91fd032e3c5e87837e94d2d065d7fc8

SHA1
19f6c5f827d283bc3da231a3030e0ef9aacc35f2

SHA256
94f0e9215c93d84f1f48e379893376c08896c7ac720149ae08a1f0188b0c9ca3

SHA512
4bc06a2df732413eb7d059dd7d02cdcd8d61ba9fe3cd1c23c9cfb1ee9e1c8fd16f82a45afd457156f6ad55e431c28b382e0f5ef647dc1e8b2badae32aecd99ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fc0dd4f3685b7b60b4ea976aef03b27

SHA1
ab97ddd9b9f7d5c4b15f51f920f2291cb9e314b4

SHA256
95db921aedb812422d7ce92758874c10084489e41d47230942cb7664fbf9abcd

SHA512
31ba099d274767c7496318d599cdfdc9c292d3d009aebfe272f4c37466b0b74d2287c97caf56105ea23d31c0742a4d3d05b5759ffed15737b130efb0e2af5a25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
376c55bdffc2888baf8e7754068d62cc

SHA1
41b7492dbae041e4b1ffc8ee7442bd17d3d6f0cf

SHA256
12dd2548cee8d53b2c41651830a62c85dc0ec1e449281e7f00a4b904f211c64e

SHA512
ddda7eb5d8cd303543919fd54689532ec9e36b24d51f928e95f26edcb8a354e1049e9bc861d79ac24a4b29e4f2de5faa1e9c3c7a4e11ee7e4b294d593fa14afe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
816f83deb7cf96f127fa06b49d31411b

SHA1
b36aeb1c0ce44da6d028f9b2e484a63c151a473f

SHA256
45cdc07504d00f2225df45dd8fc1595ab1845e32a30c92a78c0cfc334f443672

SHA512
64e62d977f5a905041f4b33c41380e211cfe34ae37f1a8e7c819377c2afc8286a65e6f14d735e0fc64f9923ab35730c0a289daa4a12bcbaef85e3145d99545f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
811518def5d5384044a9ce6cb4a34d28

SHA1
62a1d56e4740d42ba3e0d14b121e9dbeba21b6e2

SHA256
90da63b100fe12bfe39c484d3de639b2376735e657ea9c7a34336be3fc3e6584

SHA512
7e120bbb4b858b226614028c019239b0b544cc09e5c7a6466c44d7d40f67a2840b19f15cc4af419000b08f7b785eb006a2033dca84c926e9a01556298bcd9b30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11eb87212f727aca0859a6e285a70679

SHA1
eea9b9f36cb973eed5447848bac7a3efd7e23d76

SHA256
042fb4dc463f339d69b2946ead6f9f9ceed4f63c57be88e43cae5d377e908213

SHA512
04fadcdb59ec3d04bb49e1c681aeb0346fbc33dc6b0495aa33108cf36f9b622c7dca422c636da14fbb56fd3d6e0cfcb1549d704f179442b74f2c4d38a0513880

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a090d79abc9c52a7c9347afb1e6433a0

SHA1
f319159e754db1dd4e661b6416da5f8e45a2ad1c

SHA256
9a0f5c1f214e9e0151edf818c706eb3ba3d8271a4d86e1df200e3d9edd69f606

SHA512
65f3f8ba984e1d43e22bed25aae01bc2be2172e888df590df5f9fbef0d53bcfe0b56910ea7922adf08580d55b7140b30b8e9a77279b5ae6b3dd3991485442dfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca7f0c24a52680e2c7fa509097609b29

SHA1
f6a8727fd630465e7ba844ebfe8d34a68aaa48ed

SHA256
45f4678f2f5c9786ef99275df93e934fdf5d4d82cd491fd251c8eec317795f0f

SHA512
ca3b0f8cab4c346cdab50a7f0a931a77f12ab719de3304c52ee8b7b8c663040ef94770e81e02347d1820871c21177a5b5145c98aa94186901fc0039565c5ad8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c46587279bf8a39f2a8dff7a97eac2f

SHA1
94981b916c650a69cbdcb47157b3e304b042be1e

SHA256
c684790c3026fda408f7fad4e3f51ee8617c07dbe677ac07c71c51c7dc636c81

SHA512
bee656789e64e9fe42652c3e3d2969d29c5d5319307a91b601e798cd73de0a58715ba8b940b223c34824008c9b246e5c9ccfa52ae659de270302c2acd3544a54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fc513d28ebd6ded18f8520d208413b2

SHA1
24bd697db73bf223a9551270c337e59d6c8f40fa

SHA256
716bca8b0663dbf63d3cf13d0007fdf819973ade7b5b8417d28fb0a69e7dabd3

SHA512
3f5ce58adae24f7cbcdb7ece79a86dde10136e75d82f501049b86bf29590025fac4ee0313e3d9dd5fed3e3f6249c183c93e823e6eb6b50655378ef36bc8291a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ca8659f971ee8b3cc4d54b1f73c995cd

SHA1
c3cbe843348c6767551531bc23ce691f32ae08c9

SHA256
bff6e64e19d0565fd9b120a306fd9ec305e75fd024c880d43feaa2f573a74671

SHA512
b65dc0723e1ccc81f3ae670fd45a590439d09fea247cdd548d9e8a01a30eec7c7ccdc85b21fbd901dc69bc241b4382b8cd7bf5c3d78df6a680b9915cd7237424

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
3a234df20504efc873a6c5194077ec82

SHA1
869b4c1a79f32b8ac2009f19032f6c5d7b2c11a3

SHA256
d158b25f589da5ad692619a7b280320e739f893f6cae43aee708043f6c03172a

SHA512
f263d31665e6c5f35fa2269dba203cd5a3abb9b64b48dac4ac716befd0b4afcae131e33c2595516c4272d48ab97f9939de11c112f71a690490c5b9424ae13484

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
71KB

MD5
98ca01177aaf0f62cb5353ae1c3e28c5

SHA1
b044d563f5e6c01b54852f5bf9e11776def4aa51

SHA256
644c624fca942b793692df3348ad9a5ad90ced75445f0071bbcddb583efc5d12

SHA512
f3445aad0b07070a1488cc97e23239bc4b45e20ee513e8050629446ba45c4c5904405a291a82585753f2c43d738c61a90fc97ee302510f4147662f35abfa7636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB54E.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB65F.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SE8FTUSA.txt

Filesize
604B

MD5
9a915b1a8b21727a6420281d3b632588

SHA1
4d80dfe15ea8f18372487dc15090c3da0abe5aca

SHA256
e321d3e9edfdbf430e19c893fd2d3c36ceacceb65b4552b371b64252e3c8fd6c

SHA512
230a9511885a8020f58519ac40a1894f5a472912130cb3ff4e9225f0f1b8bf4e7d9fb1329341235414e9a4d600ca7c03ae999043567c3e3e0a36d8874a2e8406

Download Submit
memory/336-339-0x0000000002AF0000-0x0000000002AF2000-memory.dmp

Filesize
8KB

Download
memory/816-338-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/2444-880-0x0000000077280000-0x0000000077281000-memory.dmp

Filesize
4KB

Download
memory/2444-830-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads