2c341e9ae196b1bcb137a43be29251e93561f9d578b08d2863529585039e885b

General

Target

flashplayer.exe
Size

15.3MB
MD5

a8a8c089a6a8583b24c85f5a4a41f5ac
SHA1

798c755fab62d9fc7019bd195026195d0d339a38
SHA256

b6ba115c2b43d87aaddf0060c44726e7af1a12c9501fc63de652a9517d7367db
SHA512

1636318338ae3eeb2d194e62463b279f9ff86e22e119ac6bb134d8ec958a69930815b6f84b9019342b62c470020465d3288bb592676318902e6cb765029d2f2f
SSDEEP

393216:e+VtcTsNLwevhv3aDtxf0mAPXXprADug+js0+oEbiNO0TNPRU70hlz:e4tcCLwevhHPXXprADuO8PRUQht

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

flashplayer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	flashplayer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	flashplayer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 64 IoCs

Processes:

flashplayer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.f4a\ = "FlashPlayer.AudioForFlashPlayer"	flashplayer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	flashplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe,-202"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\shell\open	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe,-204"	flashplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	flashplayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\DefaultIcon	flashplayer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	flashplayer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000	flashplayer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	flashplayer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\shell\open\command	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\DefaultIcon	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer\DefaultIcon	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.f4p\ = "FlashPlayer.ProtectedMediaForFlashPlayer"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.f4a	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer\DefaultIcon	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.f4p	flashplayer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	flashplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	flashplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	flashplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	flashplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy	flashplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	flashplayer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	flashplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\shell	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe,-608"	flashplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	flashplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	flashplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	flashplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	flashplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	flashplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash"	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe\" %1"	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe,-203"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer\shell\open	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\shell	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe\" %1"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer\shell	flashplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	flashplayer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\shell\open\command	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\DefaultIcon	flashplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	flashplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\shell\open\command	flashplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	flashplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	flashplayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer	flashplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	flashplayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	flashplayer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	flashplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	flashplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer\shell\open\command	flashplayer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4672 chrome.exe
4672 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

flashplayer.exe

pid process

1612 flashplayer.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4672 chrome.exe
4672 chrome.exe
4672 chrome.exe
4672 chrome.exe

pid	process
1612	flashplayer.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

flashplayer.exe

pid process

1612 flashplayer.exe
1612 flashplayer.exe
1612 flashplayer.exe

pid	process
1612	flashplayer.exe
1612	flashplayer.exe
1612	flashplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4672 wrote to memory of 3868	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3868	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1568	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 4168	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 4168	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 1180	4672	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\flashplayer.exe
"C:\Users\Admin\AppData\Local\Temp\flashplayer.exe"
1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab5629758,0x7ffab5629768,0x7ffab5629778
2⤵
PID:3868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1816,i,7334893918514219992,9515298056055204001,131072 /prefetch:2
2⤵
PID:1568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,7334893918514219992,9515298056055204001,131072 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1816,i,7334893918514219992,9515298056055204001,131072 /prefetch:8
2⤵
PID:1180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3240 --field-trial-handle=1816,i,7334893918514219992,9515298056055204001,131072 /prefetch:1
2⤵
PID:216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3376 --field-trial-handle=1816,i,7334893918514219992,9515298056055204001,131072 /prefetch:1
2⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4628 --field-trial-handle=1816,i,7334893918514219992,9515298056055204001,131072 /prefetch:1
2⤵
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1816,i,7334893918514219992,9515298056055204001,131072 /prefetch:8
2⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 --field-trial-handle=1816,i,7334893918514219992,9515298056055204001,131072 /prefetch:8
2⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4868 --field-trial-handle=1816,i,7334893918514219992,9515298056055204001,131072 /prefetch:1
2⤵
PID:2960

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
fab64d5a2079a7ba01bf537b67425d19

SHA1
ca31584f933a023857049a4b74c5bdd156237739

SHA256
c9da2e8f7d1029475961ef170553d43ab04789ff27643efe1af2069b9342829f

SHA512
8d9ddaa1cff7898304283db22ae5bf04d471b0f286166bbdb1ed942dca02e3d06d27051752770149f7490b955b1869711314d5ee758408e3f779dbe597d2c099

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
7762f222de53149b3c6b4ef896692fe3

SHA1
8a2bc3be09e73b9eba885b7c89af7bc73998a5bd

SHA256
ca02cfc09206afe3122993bd8ad75dc1aad740eb33a11d08d9a21fee3aed98b3

SHA512
fb102b704eb7266a2e38b1b4c69e7c9086bbc2c3267d7708fa3e894b07a96ed3c1b0583ff84e67a40ca0862631d9ddfcc1459c82d8a2f8e28d6283cdf941915b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
b14a12a015c8f36f5f192c129636136d

SHA1
2bde3886daed5b6912250ee1c1dcac3de793c43b

SHA256
ab7f55a6e55318a3e9dce045a73d51fe67009fbec40396665660c46cba7a49a8

SHA512
04af9d59fe4affde5837720eddc56eed8fd70f64c3e148961be9a2f498739f5f256769b6c51e6a8f3761d09411584c5101f14fae05d2015a332e0f7a585bcac4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
142KB

MD5
7ea2512d9c760bf69274fd6e96de26d1

SHA1
7072034cdfd22b102ed20861a0eee72085ff27d9

SHA256
e6870c4d3f7dd3483125f9cbed9060e805d88f2229f7f1f5c043c8ab78a355f1

SHA512
fded3f01ddf2dff29880248e849074bd8dc20fd9079d0e90339e691f2db94e9bde6bdf736e93921091b550685bda5db8e6b14c4239e0f7d870d22d88079569fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
fe1a05788125684c3abf20b1cf4880ad

SHA1
557045eaefefd64008b28aa549b5bf391b2cb81c

SHA256
af34a33b999ecfdd827cce82c13d231cd38eeb66bb13f54120bce604d1d234f0

SHA512
8cf592bc1923dfe66161eb2fd2f0275073832c6af7e09c5c6e14f9bfb2e16f2d84e535366eaa3e7fdfa9f9b839b546746558a6a00fac42f32cf76af49248cd09

Download Submit
\??\pipe\crashpad_4672_MVIXVVLUVJKNXTNK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1568-192-0x00007FFAD37F0000-0x00007FFAD37F1000-memory.dmp

Filesize
4KB

Download
memory/1612-180-0x0000000005EF0000-0x0000000005EF1000-memory.dmp

Filesize
4KB

Download
memory/3800-216-0x0000028536CC0000-0x0000028536CC1000-memory.dmp

Filesize
4KB

Download
memory/4572-213-0x000001AA5D760000-0x000001AA5D761000-memory.dmp

Filesize
4KB

Download
memory/4572-214-0x00007FFAD2A80000-0x00007FFAD2A81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads