hxxps://carlossafinos[.]com/src-docs-645c97db4ccb0/category-json-645c97db4ccb1/?mJuSKyyHj=amFyaXptZW5kaUB6ZXJ5YS5vcmc=

Resubmissions

12/05/2023, 08:31

230512-kerp8scd48 8

12/05/2023, 08:28

230512-kdh2psef3y 8

Analysis

max time kernel
87s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
12/05/2023, 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://carlossafinos.com/src-docs-645c97db4ccb0/category-json-645c97db4ccb1/?mJuSKyyHj=amFyaXptZW5kaUB6ZXJ5YS5vcmc=

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D9DE11EA-F0AF-11ED-BDA2-C6A25D41C1AD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\LinksExplorer	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80a46db5bc84d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31032508"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\LinksExplorer\LinksType = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\LinksBar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2936716667"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31032508"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502883b5bc84d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\LinksExplorer\Width = "290"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\LinksExplorer\LinksType = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000eb827cf93ddd146af8365c0e3ca1302000000000200000000001066000000010000200000007199c7b6e282ba114893e87b80bde0bffee21946b57304c51da88531e60d9002000000000e8000000002000020000000fcc58cbdb42ac6d7dc1044120588e3a1a79b55f17094ab6bd85acea84376bc1d20000000c167c126fe1470ef1fcc8b1e3b1daf3b386c2b465144e24a0aae1ca354ac59d840000000b7912e592421058ed021e54755b478c1376d97c4156b29b248a1dca8d198eec91c31e4fda67d47c15f3b82c9a6649bf8df35c8b2be9c9c118df2d625697fb733	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000eb827cf93ddd146af8365c0e3ca13020000000002000000000010660000000100002000000061ee964643e44eb687076fc01ab1179cc946a3a93826e7ff2e6694393035b654000000000e800000000200002000000030606837fcf4af86926ab525df6c022318f8606eeb8f9de2dc4cba3882f2e72a20000000dca9b16ad0efbdaebcc368cf6934636d33f02d59d3e4e7d6cb1dcefd427a54a340000000b557466aafadc99e212b1ed3daaf558433dcd944cbc46b9f552b53a3f9fe9c133c45071016d5ddd4e26fd4483517de45f558f905a63be34b2191382d82df967c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{01595994-F0B0-11ED-BDA2-C6A25D41C1AD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2936716667"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = 9731bf4db045d901	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133283609964528527"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4980	chrome.exe
4980	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1048	iexplore.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
4940	iexplore.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
1048	iexplore.exe
4980	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4940	iexplore.exe
4940	iexplore.exe
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
1048	iexplore.exe
1048	iexplore.exe
560	IEXPLORE.EXE
560	IEXPLORE.EXE
1048	iexplore.exe
560	IEXPLORE.EXE
560	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 1308	4940	iexplore.exe	82
PID 4940 wrote to memory of 1308	4940	iexplore.exe	82
PID 4940 wrote to memory of 1308	4940	iexplore.exe	82
PID 4980 wrote to memory of 3108	4980	chrome.exe	92
PID 4980 wrote to memory of 3108	4980	chrome.exe	92
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 4104	4980	chrome.exe	94
PID 4980 wrote to memory of 3576	4980	chrome.exe	95
PID 4980 wrote to memory of 3576	4980	chrome.exe	95
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96
PID 4980 wrote to memory of 5084	4980	chrome.exe	96

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://carlossafinos.com/src-docs-645c97db4ccb0/category-json-645c97db4ccb1/?mJuSKyyHj=amFyaXptZW5kaUB6ZXJ5YS5vcmc=
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4940 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd11539758,0x7ffd11539768,0x7ffd11539778
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1816,i,4927479731950597538,2144171594751206742,131072 /prefetch:2
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,4927479731950597538,2144171594751206742,131072 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1816,i,4927479731950597538,2144171594751206742,131072 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1816,i,4927479731950597538,2144171594751206742,131072 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3300 --field-trial-handle=1816,i,4927479731950597538,2144171594751206742,131072 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4524 --field-trial-handle=1816,i,4927479731950597538,2144171594751206742,131072 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1816,i,4927479731950597538,2144171594751206742,131072 /prefetch:8
  2⤵
  PID:692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1816,i,4927479731950597538,2144171594751206742,131072 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4996 --field-trial-handle=1816,i,4927479731950597538,2144171594751206742,131072 /prefetch:8
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5112 --field-trial-handle=1816,i,4927479731950597538,2144171594751206742,131072 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 --field-trial-handle=1816,i,4927479731950597538,2144171594751206742,131072 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1816,i,4927479731950597538,2144171594751206742,131072 /prefetch:8
  2⤵
  PID:3896

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1048
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1048 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
fe665eac0adae529970707663223600c

SHA1
38373798a43e9328617153e6c3b7591056808b3f

SHA256
bd0544b0e8cae2a244a1323f69477649e83e6b9b8c3b7d7e40f3fd0b54a545f9

SHA512
9c0c18e1464de37f2ace1fd5033245821dfa1cf55c68aae56af560131c5320ebe33b228062934e33c385c6ee4ed1fa5a34de1ee203ff2ddc8ab73b9b3a8eaaba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
abbfabb183f6cc09fe352c151b7a05e4

SHA1
0c26141ec7a31f3a1c5a14f06611135c365a5943

SHA256
4af263179809d649d236999f5b4b5ec38b2e2c9e0fba42aa470e57bd964c7849

SHA512
abb3b9381682147fb60871e4484cc4dec11112d4a05e44a3a1d3fbac535a653dc466dc01c954d1086209b941d00c28875bb73d24a364afab5906e6c7a1cbf077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
28365cd06fcfbb51d0a379000fdb26b4

SHA1
bd8023773e38d481a54b1f841d736c444640b8c2

SHA256
6532045cc54274a297bf210d2ccbae5181366bb3f7bc2941652ad8f983dbbdf1

SHA512
284b6999c109b99bb856e036c16acd40eb576b8ff27fc3eefa55f51f3092818e9090c07026495ca05dac151dcd450f6f72d0870f76429d786ab504d4ff4726c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
22c799d35eea5c56cb1418225d2ab32e

SHA1
336cdc070503bb4b815721027dad8708fad6853d

SHA256
42cb66f176e439373ae03f6aab222214d64fd8ccaaa2b166772b0dde5c90fc9a

SHA512
f06d4d40acd286b01182f2fde8915303d8fc1dd1c49b74759c0a479cd7496a06a78256f82a8e877282582ac2db6731fa74f0accca0a395c96071cecde0042857

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
5cd172e186fb02d74d8e7719341ea734

SHA1
54cddbcd17469ffb8cb04d7357a45fcb97661655

SHA256
542f9ba344977ac2c78ff56238f84734d50859c3cf1875f346cf85a674262bec

SHA512
968af7c1377494cb41e197a9816eedaccd2178f543741b7fe775fb8027a6966b9c647a77bcc784ae1fc01a302b88ab9cd9c3a6401fe5e6705fc50f74529489d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a36e5adb2e3782a6f82137acfe8c5148

SHA1
6c744dd3e13fe09088a82d9ea1e466f679a0dd49

SHA256
f79cd72daf8b217260044a4663041c2c0c9eda6dae3a773a035c910f8ee6f0e5

SHA512
79291956a6f94fd124ac0ba44f725a5dd3da610978ec9199e75830adbba3b49705413a30d93efd42135627ae29a5a60da94c28a121874edfd5b22e7f916a266d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
8f959688f07802d4a899112c2a093668

SHA1
e87b7c0fa3337d2a7dfaf6e6d62ea6a4f3c87348

SHA256
5236ca75429624200118a09f089bb6904bfd04c35c5a886b0bbeea48f0412af2

SHA512
72a40b746c5a316792050d0b1db68dde6e179ff1af0289acd860d50143590e0b74be46c97b224d98e91b6a2ed0a51e48231f1b2b3098a906436c7175c7d78174

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
149KB

MD5
4656f7ac06e5d2c3acbc3ff6b5b57a57

SHA1
58fb74461dab1f4aa47273f9f067e29fdf589dda

SHA256
a76dd1583ddf0e96c77c8d639defac1f975d3594fd776de805d9038206a02010

SHA512
cf080bbd34c38c9969fdab019f994fb5c0f30519a6fd3f700e6122692026e8c297f24fdeaf7d6591787645d25ca79d3b5899b4cec209cd61b47d1d0ffa37a24f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c99ae915-b78c-4dab-bf72-49c96404e9d6.tmp

Filesize
149KB

MD5
a1b3b60022af33262de8e76a8e76daed

SHA1
029fd6e4fcc844456b2823295f57f7567019a64c

SHA256
ac2482233ca15dec5c2bda7204f43415898a3d3dc3636dd183992e3ea465915e

SHA512
cc5d9a5dd173a920b94137f1ad678499eb99cc6eac1da84f4f2dac8550cfb9a3337bf7d66ee00bbabe282d7b7b4d2508a3682cd1ffebaf98e5d1e0d400ba9684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{D5C678B6-B162-11ED-BD9A-CA19256A63B9}.dat

Filesize
5KB

MD5
b2d0f79e52e5a9e70e2c2191918b24ce

SHA1
54a248676864da9564fa53b53ebfaf9e2f7435bb

SHA256
78dd0b5f881462ab1d274c2f2dc3c4e8ee6e9275401f8000ae11470bbf1e94a1

SHA512
3a0a2e26a88d002c7850d8ad071690cf07ee39c8cc1ddd20a82bb5ed70e6e9b0dcfcbf8d54582ce49418a7b1c65f22e1dd1d239e8d1e550717bc0b260b3d57ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFE68D17DD801D7AF5.TMP

Filesize
20KB

MD5
f0d6bb66e2fc492dc125491a49b93031

SHA1
1ee47c2dfb2b1b8973d6f9cfc4f5b1090ba5f954

SHA256
a0fdd2cffb690009a53a7a98c11fb08e76572197f4a72f9d0cb69f2dbf4ca6db

SHA512
d5647641c4107021e0925ef5db0cec14ba53ad88bb7e9d5fe12245ac6b107d32d8145109d06dce74dbd4a583e75f5086c0744976415b2d9ba87501cc732bda9c

Download Submit