hxxps://mega[.]nz/file/FCxAjbJQ#4uTFkJCnbQ_aXMkoaId8cKQWso9VvB1BXQP-HEfMFxM

Resubmissions

20/03/2023, 19:34

230320-x94phafb22 7

20/03/2023, 19:32

230320-x84m4sfa95 1

20/03/2023, 19:29

230320-x69rcaha5w 1

Analysis

max time kernel
90s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2023, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/FCxAjbJQ#4uTFkJCnbQ_aXMkoaId8cKQWso9VvB1BXQP-HEfMFxM

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F2E595AE-C755-11ED-8FFF-42C2EBB090FB} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b00000000020000000000106600000001000020000000db6366e6be55aa9816b7a5057a127367b42e5d58a3a8efccb6662f6b1bc9ab73000000000e8000000002000020000000aa13437fc696fa8e3b2b28a40b51d49226ec7863ad7859ba46df946cea5dfdeb20000000547cb6dba399e40c7d9ea85a7c1b0282597840fc1e8356e962fc596c660f781440000000043121451c4507ee73bb95903accc8f8fce86db731baf557efc66e7c64db42abf02b79b5bf91675a51c98dcd527027ccb567d32bc44a5686819fbd99edb47d34	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{20AC279F-C756-11ED-8FFF-42C2EBB090FB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b01c94c9625bd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3352687840"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b000000000200000000001066000000010000200000002d809d65c69800ed7d13db954189b52763683137fcd7a4a488ea1f4c2a45bc72000000000e80000000020000200000001ba9f0ebcd6222f1037790cda22f8dcef4f9332e95d74fd4acf6183b2dbd6e5820000000ec629a6ef0306307d0124654d7a7111eba60836b598b524ac72072fe1f3059d240000000c061186509226e9f7203cd418b7c8471e233470bc86cf6cc88d2d412a48a836a25a494c9384ce262883caf943584b0f61dcf9381714efea5ff253adb2ba19c71	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31021922"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3352687840"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31021922"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 802fa7c9625bd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133238143579872031"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
852	chrome.exe
852	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
852	chrome.exe
852	chrome.exe
852	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe
Token: SeShutdownPrivilege	852	chrome.exe
Token: SeCreatePagefilePrivilege	852	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4596	iexplore.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
5800	iexplore.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe
852	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4596	iexplore.exe
4596	iexplore.exe
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
5800	iexplore.exe
5800	iexplore.exe
5764	IEXPLORE.EXE
5764	IEXPLORE.EXE
5764	IEXPLORE.EXE
5764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 1760	4596	iexplore.exe	88
PID 4596 wrote to memory of 1760	4596	iexplore.exe	88
PID 4596 wrote to memory of 1760	4596	iexplore.exe	88
PID 852 wrote to memory of 808	852	chrome.exe	91
PID 852 wrote to memory of 808	852	chrome.exe	91
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 400	852	chrome.exe	92
PID 852 wrote to memory of 2196	852	chrome.exe	93
PID 852 wrote to memory of 2196	852	chrome.exe	93
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94
PID 852 wrote to memory of 3544	852	chrome.exe	94

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://mega.nz/file/FCxAjbJQ#4uTFkJCnbQ_aXMkoaId8cKQWso9VvB1BXQP-HEfMFxM
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4596 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffadbe09758,0x7ffadbe09768,0x7ffadbe09778
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1868,i,14613695585588996270,8980608590237546057,131072 /prefetch:2
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1868,i,14613695585588996270,8980608590237546057,131072 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1868,i,14613695585588996270,8980608590237546057,131072 /prefetch:8
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3336 --field-trial-handle=1868,i,14613695585588996270,8980608590237546057,131072 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3192 --field-trial-handle=1868,i,14613695585588996270,8980608590237546057,131072 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4512 --field-trial-handle=1868,i,14613695585588996270,8980608590237546057,131072 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1868,i,14613695585588996270,8980608590237546057,131072 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1868,i,14613695585588996270,8980608590237546057,131072 /prefetch:8
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1868,i,14613695585588996270,8980608590237546057,131072 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1868,i,14613695585588996270,8980608590237546057,131072 /prefetch:8
  2⤵
  PID:4528

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5800
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5800 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
71299b4a7cc797a18b6bc2c65e6e4921

SHA1
9bfd74f15bc662c72789f41ada9c265bf5e3eabf

SHA256
14ee3f1075e1e91bd7252c1138b2e1e7285dd9d829e10a02b999bc3efe33cb01

SHA512
b22697c3a96d70b07a4362e35a2b71f8e066d9e6b24c157926e4cc7e43bfd939df0923cda389793bf4574917e44fed247aa2ebcb8cdbaea2d887771efebe4769

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
dc2cb5816288f53a1fe1dee75b680fcf

SHA1
f7b67bdb00802165b320bdd95130fe87688489b5

SHA256
a8f7b3e5d52fad8dd91a0e9c66a79208d67b2a518cf7a754b5141e133e671e38

SHA512
32386f87f5bcd6da68b62fef6eac070a0017bbb80d306a06901d11610bd225409a5632bee8515cc28de478bd8651227d017a88c07e1a84651cdef94ea24d049a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4f6874fd84f1518a8867ea5e35cf02fd

SHA1
aff3c42445690ccef2c0d245e80b462d9b2493b7

SHA256
a876e2115f48c1887422516667a6a19e04633ec02a07abb6cfb116601e911266

SHA512
cd8b9944908abab210debb87e1133c625d872a3fb35c5f0bd85085480a525d635920e960135a1328c4784b14bd86e86d7e0cda60d99022efe31732b9cffccc06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fd462196545e32350e89cd933c0a27a7

SHA1
2db69c10bb1ec7f722a747a7868fbc4cbb099318

SHA256
92a8042a1e6297388499aee39dcbc68badf705f18f66076ae1b4fbc0b2ca1cb9

SHA512
590cec4f30e1e4d5d29072001da30648bcc1f96207520b6b17b767effcd117788f1a5d0df1e40526ec46de7ae6b724e14d0ab487394cf261f6837234bcbd175f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9eb62ee1564a9f164d15b11d690f1824

SHA1
93b841111e7915b1130812e37b8f4cd3374d88c5

SHA256
adc09c4556a401d0c059984459a74f20762a655a461306ccafde1d44f7723d2a

SHA512
4f23807ac977fb42e9382e6612edb37cf21303668cc1b769576e18925f2bc59d04aa06b5dea418b3f4320532bfc5f58062282a39eeccfdee0bb74b01bb5d0a90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
d6cf131b0d31a3e41471a340e0a5e401

SHA1
c4181097b254c70ceca75f1cb192c29f965299d2

SHA256
c43fbf80471117f4ce69371400698edd3465831feae3d0a7633582e9cdfd3efe

SHA512
d21be2e206c4e1b300fa03ad3ea02486f3ce4939457797e5dcf62d210bf5caa9d0392e6764aabf4033e3540d8fa83b100656f893b7b8229dfb4c9861e9d25e6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\phzg4yt\imagestore.dat

Filesize
6KB

MD5
4190ab65bb1bdf63dcc670be4a620ef8

SHA1
323e874cf30e7bb797b04175cbde731677ba9ec2

SHA256
ec36ecb34d297416f686f7892e447b31350f152a206c12e1226569a80c8d30d8

SHA512
88fc25bbbaec23cce0e9e9dcd1ec596df029b957293b67347843d3ace3244c0ca73788226071c419a6c1e8772d6a6e73b394c65c7be778589d7024bbf6545436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\phzg4yt\imagestore.dat

Filesize
6KB

MD5
4190ab65bb1bdf63dcc670be4a620ef8

SHA1
323e874cf30e7bb797b04175cbde731677ba9ec2

SHA256
ec36ecb34d297416f686f7892e447b31350f152a206c12e1226569a80c8d30d8

SHA512
88fc25bbbaec23cce0e9e9dcd1ec596df029b957293b67347843d3ace3244c0ca73788226071c419a6c1e8772d6a6e73b394c65c7be778589d7024bbf6545436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\favicon[1].ico

Filesize
6KB

MD5
72f13fa5f987ea923a68a818d38fb540

SHA1
f014620d35787fcfdef193c20bb383f5655b9e1e

SHA256
37127c1a29c164cdaa75ec72ae685094c2468fe0577f743cb1f307d23dd35ec1

SHA512
b66af0b6b95560c20584ed033547235d5188981a092131a7c1749926ba1ac208266193bd7fa8a3403a39eee23fcdd53580e9533803d7f52df5fb01d508e292b3

Download Submit