0748771775b1c89525067071b0996a9a7a3eda72d055ca74c185cdcba57715c0

Analysis

max time kernel
713s
max time network
706s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-04-2023 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FORTNITE-03-14-2.html
Size

5KB
MD5

c21af1dbcf4926583a7214ad933bc847
SHA1

da3625bccfd9aafa98b1cac7d40e936eb265cfd2
SHA256

0748771775b1c89525067071b0996a9a7a3eda72d055ca74c185cdcba57715c0
SHA512

1ceec19f5fcce45ed9d1e6f19852e23b02b8be80f50239a6ff4cc31d96252eb1f0a58fe9e37180419cdfec8674686e9eb6741d322d4263701eb2897ee5d80f95
SSDEEP

96:9suWzV3JLNDg3czfj1Z/I+jYpyuIPJjeIJumKEm2PVW:Yl715o6JjeeuUg

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074b2d77a8e7a944ea7c282b9066208cc0000000002000000000010660000000100002000000052379dc104a56c7359c8a160c87c2caaef106bb7baf27264b1d0c830fa11dd5b000000000e8000000002000020000000a6dfd25883c42bea61b72243015b22aad42528eb0917c9dc775b82863ee2ee0190000000c426a5a479940014ee445ed9ce1ee75f37ec9f166260529b171ab43c30f5837e018cf8c7ade9d5e048c8aa5c33f2d6f46dcd99eb7bcc0433781479a7c8233cac2ed440e556f82553ac8945483f7ea58813eef91aa664d8fa2b974badcceda135018e00d0922736fae68bec4a5e81b01a46f3432354096e50eb1dcf72e1b9028a726815a59035336865b6ac6d462da12f40000000507113d76212e08c98957ccc795c657dd657350e76a8ae9b76184d7cf475269a77cdc68aaa356ab15b0141717825cef21f881aeadabcb82982a15dd0197557d0	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FB794661-D227-11ED-B8DB-D2C9D0B8F522} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074b2d77a8e7a944ea7c282b9066208cc000000000200000000001066000000010000200000004f438b4d971ff6ba1a2e4cc04202005ba19907ffe8387f80ba02f51d2113e248000000000e80000000020000200000006932b1a88050cf0f7fa94bd03b5d6b35f740a1b77f15f3596c608cc760e3b426200000008e8b47cb1f6d3edc3035855cd6712acdfff2596aea85ff427ac57ffad1108ae740000000f74b053bb6ae2e7340dd6f2db7d17199237a6648364caac77bacfd8820be8d9f380fd2c850efb9214109dc4b985ab534f010839057476ce26e26209b1bfe6cbc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c09bd43466d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387295444"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

616 chrome.exe
616 chrome.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

chrome.exeAUDIODG.EXESndVol.exe

description	pid	process
Token: SeShutdownPrivilege	616	chrome.exe
Token: SeShutdownPrivilege	616	chrome.exe
Token: SeShutdownPrivilege	616	chrome.exe
Token: SeShutdownPrivilege	616	chrome.exe
Token: 33	2488	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2488	AUDIODG.EXE
Token: 33	2488	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2488	AUDIODG.EXE
Token: 33	2404	SndVol.exe
Token: SeIncBasePriorityPrivilege	2404	SndVol.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

iexplore.exechrome.exeSndVol.exe

pid	process
1424	iexplore.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
2404	SndVol.exe
2404	SndVol.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

chrome.exeSndVol.exe

pid	process
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
616	chrome.exe
2404	SndVol.exe
2404	SndVol.exe
2404	SndVol.exe
2404	SndVol.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1424 iexplore.exe
1424 iexplore.exe
1096 IEXPLORE.EXE
1096 IEXPLORE.EXE
1096 IEXPLORE.EXE
1096 IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 1424 wrote to memory of 1096	1424	iexplore.exe	IEXPLORE.EXE
PID 1424 wrote to memory of 1096	1424	iexplore.exe	IEXPLORE.EXE
PID 1424 wrote to memory of 1096	1424	iexplore.exe	IEXPLORE.EXE
PID 1424 wrote to memory of 1096	1424	iexplore.exe	IEXPLORE.EXE
PID 616 wrote to memory of 1604	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1604	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1604	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1688	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1504	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1504	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1504	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1792	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1792	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1792	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1792	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1792	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1792	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1792	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1792	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1792	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1792	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1792	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1792	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1792	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1792	616	chrome.exe	chrome.exe
PID 616 wrote to memory of 1792	616	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\FORTNITE-03-14-2.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1424 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6179758,0x7fef6179768,0x7fef6179778
2⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 --field-trial-handle=1352,i,13454297320014343036,9460002412282507693,131072 /prefetch:2
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1352,i,13454297320014343036,9460002412282507693,131072 /prefetch:8
2⤵
PID:1504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1352,i,13454297320014343036,9460002412282507693,131072 /prefetch:8
2⤵
PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1624 --field-trial-handle=1352,i,13454297320014343036,9460002412282507693,131072 /prefetch:1
2⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1352,i,13454297320014343036,9460002412282507693,131072 /prefetch:1
2⤵
PID:1864

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:928

C:\Windows\system32\SndVol.exe
SndVol.exe -f 45745297 7784
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2404

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x58c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1847872bd6113a32af5e1c5610eeb0f5

SHA1
a3549effffe9cf0f6ff227bb5f267863b8ad8684

SHA256
0bc7dbadc7762d3cfa954d6b10fab7f0d32cebdd44552f97295b0b3b4fffbfc4

SHA512
ccbcf40d9739ee5b8ec43ed104f81d2adaf0788f65e0c86148244f5758d043fe39ecf82ac7a6ae73cebbc53a065a3a22ac06144f915240846550b03ca2b6e1ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b4a1523d416686f3db5f7789942cdc1c

SHA1
7d1f4b635736cf0c2bcf2ae9a5a1bf743ef34de8

SHA256
311b5fd8911093dbea4d180667fb82212ac4881c56453082f5a47a377ae40ee9

SHA512
d60a7e5c45339c7649655e9cb0dff21292ffceca13d4cf31108272b181a56aaa87e2915fa6b4b688b2abcc8956b6ac05e40c40547e63f44bc6170417c49cf7e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8383aa9e68651757d41abacf41e21d90

SHA1
28d3689578c6353dca3d42bb57a39c4a6097010a

SHA256
6c8348d2975aa041317d1829a5d9af3855fe84144fbf3763f110d22bfa79923a

SHA512
9b39d422c06188be3ae87ee9f5db5ec9ef761f3f661c7b75f40a17029ca8ef71b91e3bc5b7d91979b8198639a96265e8c311f94113d13fa0ec6fee687079f7a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a02f265e7028ef9d7b0ef4866976ef64

SHA1
7f57e417f4dce45eedab0cd2ff1c1359fada1bf4

SHA256
5d441dd8120ae1410c0bf2a07fcbca977cf416cb340485bdf7774961fe81020d

SHA512
6075c3920929bba866f5dda5f99be814edfa6040ed970d9a10e1ac3d67fd222d87e0242019a2f3b1650b571b4f4e2c5f1adddf59ce61ecf357449885e9110100

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9c6b65ab0307c7fafea69f929cb243d8

SHA1
e9cd777b90d4cfb28d9432629b4dbce4cbf53f3d

SHA256
84c31cc8f5948d31329c8a4ea9adb056f152ade03ae34d15b2d95be70354f2ae

SHA512
95fbefd54cd18b61da6b4e2b892dcee5e5e259760fb2d2e862a0a5c5e253a7d2cb14a8f7f216ed1def37ea0e19fdc24a6a0d81ed84b81254539aec5bd6e075fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5c7f88bd98c163c87bffdc1bd1971c38

SHA1
2e0aedf2fb9a9e83e71520b79481a471fb6c4fa3

SHA256
f8184194f4db321a34e2493cb45efbfce0a306b4a106a918db3f9fe061680d62

SHA512
18ec52933f5f1d4f254a0314f0920c2b98b4b0e53983a583d16f5ff93533a9a12eb05340020e63a3c60e7cf8c9a8879e47b0a3b5a4dabbb35b692cb9c08c77b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ba4540c550ff8be5f24b49f454ed7d67

SHA1
bd3587e1b64d0d6dcd0cea655aa4b2e73e77bbed

SHA256
7da6f671617358ef127a1c883e8e020ded2e2f054b1afd57f6538ecb259c8e7f

SHA512
b64d22943f93de0f7bc909b20e870bb46b3af2aa232e105083f742e1cb34393b5997016019d24e88af5aee53affede2178dea9701e23c078c37411d42b916638

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3948d8c5422d33ea536f3889db4d55fa

SHA1
b23aba902cca0816352e8d7ce4d3ce5040d8a863

SHA256
650b6752115e82ac84d29d8c875d9cb25b5fe4c4d0cb1185b987d4aa70fbc43a

SHA512
020701797cb75711dff6aed67b44b975edffbaa1b26fad9becbe03d02ce9301bd212b7606a22ab915ad473b9f9a1d9c6f483bebbd54dcf3e61c7676a83acc51b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bb81ecf3d4152629aaa78fbe7abe42d6

SHA1
7f95bcef0539ccab9d20f2a2ab88259f4c3d49f2

SHA256
69cb1575d8dca23b1526a2a477081022311d09825a55ca7e35dffd8efc3dd07f

SHA512
85ca13ca0884c91d08ef4369341d9551a567ec297e66ac9986562768b940ed2e671f7e511626f5fcac86be6561302fe19bb7662ab0b9a199e5cff2e33178641e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3dd388482df067fe79be68bc4b08d170

SHA1
b990831c44bf57af0c2c18655cfca689f6f5eb59

SHA256
843d63d335e1b57bb336d2319022f1779466c1a374be3c5630a8f2e7ab17b7dc

SHA512
3b07693258568ed2817da5b727ad774f77f938d7e969c2ebb79c00e7c46ae45c969cfb0a0fcba0b70b1df1b67d15cf3a55fac695dac58aa39d11abe60001497c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e2b1c02fc8c7d44b2dd362ccbd6f3f08

SHA1
f6cf78d8008c6ff56ca39c3f9cb20f8e7bf2be12

SHA256
5c6c0fe07c3f26ec9cad7d7651c58dc2ce203e9a22f242b724114f6d8bf5cf5b

SHA512
7e3184826cdd6370b45a0eb9e448aa7d4bfb7cf192fbb6dad9eb0ac1064d240ea5dd2eb5eea77a7f7d60c21eec59373e244b96118ab546ff3905b0637d167893

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
38b54938158cae72648313972b68125f

SHA1
d7bc21458f3f8306050af1e69a52b4089ac859b2

SHA256
39115e844b0f0a2ecd69733dc157b20828052e4c2af817135aebd237737b580b

SHA512
dd7a437271b428d1c7055ad3df7d8945044e026eb457e759058a8b9eaa2e845a92e4ea80251e1e59df0c1f21bfd268f1312826d11e81763be9ac791ef772d230

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000004.dbtmp
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d4984846-7740-44ad-b147-2e61cf9584f4.tmp
Filesize
174KB

MD5
f70f06c591b7c577ebd2ce73d444dbc3

SHA1
cd055db5ffab175bdcacf1626aed610f24d161f5

SHA256
cb5d5b7c579e9e403a02a173084156092eec3e687fdd84de6f456917a7a274ed

SHA512
d2201597cbbba1fa2c6b046d9c4961acb0436a2bcec3e02cbc041d71ff2e55cc999314a6901700010f2c064349c7a2bc62f4e8c8ea89d6a280cff0990855db2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3BAB.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3D59.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\00PL11OO.txt
Filesize
608B

MD5
4d7ee38636dab65fac2972f130887eb7

SHA1
02b22ae3ebbff5b072cc9d0f2711f658abb390e3

SHA256
2d8e3543efbbf2adbbf603d695e588d3f2922b8d19fa7b071e375e5f98525e55

SHA512
3c9fbcd9d038e7abf25ac1a8c73f4b62f8c63fa30c809836c8759095a196159f47b96919ddb9aff26bd6c9928ada6c2c9c01a83f9784f883f29e1c965ad3b938

Download Submit
\??\pipe\crashpad_616_ILTRVVRIJWTZEISE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2404-664-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download