hxxp://redeem-lunarclient[.]shop

Analysis

max time kernel
1050s
max time network
1012s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2023 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://redeem-lunarclient.shop

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000030ecd792a5cce48a7a2634cefd88412000000000200000000001066000000010000200000000eaa89fd3a04803408e524512950f6e6dbd18ca4f9135854a16f28c067e9a45f000000000e80000000020000200000000059030456bba974436dc110ce9c82bbd83d6a5a7873400d1f883a5847d4f76e20000000843bc72d100e0eebabc60476356c7c129ed086555d70ed2d6dd7d71fa9207a3c400000009583dc9b7f32ce79044390a747ca8fd946715b43f35ab0bb96b1f4992d3f73326fdbcdf2f5b4203c32ba11f7f3d7dea6b1e9979fdd7d79b65b72a6da437e9549	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{40EDEC64-FAE0-11ED-ABF7-5603A1288413} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0101e17ed8ed901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000030ecd792a5cce48a7a2634cefd884120000000002000000000010660000000100002000000008adae5dffb6677a59ef5a0298782bafd0bf069c44cc80288499b58318a30393000000000e8000000002000020000000f71c2d8c819464dfcf9ea6ff7205971bc1344eeb6681bce00b9d3103a2ac8e21200000004116d1bc4ca068c64016bfeaf1734ea8462812db09fb37a58aa639298f696856400000002654deeac23a435ccf75c48f0b0c444e4c81eb3f257e2d6bd0d0d8360f5aad5c4bd826d95e8e518a0d1011dbfaf154ad70ec5e1f2afc7bf5b6fa0ae370bb6dcd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0de3517ed8ed901	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133294813096661603"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1476	chrome.exe
1476	chrome.exe
1916	chrome.exe
1916	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeCreatePagefilePrivilege	1476	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5052	iexplore.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5052	iexplore.exe
5052	iexplore.exe
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 2116	5052	iexplore.exe	85
PID 5052 wrote to memory of 2116	5052	iexplore.exe	85
PID 5052 wrote to memory of 2116	5052	iexplore.exe	85
PID 1476 wrote to memory of 3936	1476	chrome.exe	90
PID 1476 wrote to memory of 3936	1476	chrome.exe	90
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 5068	1476	chrome.exe	91
PID 1476 wrote to memory of 2376	1476	chrome.exe	92
PID 1476 wrote to memory of 2376	1476	chrome.exe	92
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93
PID 1476 wrote to memory of 3448	1476	chrome.exe	93

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://redeem-lunarclient.shop
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5052 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc83e19758,0x7ffc83e19768,0x7ffc83e19778
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:2
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:1
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3304 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:1
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4452 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4436 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4580 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5172 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5336 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:1
  2⤵
  PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3460 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:1
  2⤵
  PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4552 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4888 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3504 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:8
  2⤵
  PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5332 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5096 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3508 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:1
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4524 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3280 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=3328 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4484 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3616 --field-trial-handle=1812,i,5109470741554189434,11792112505448133454,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1916

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
7b283faf5dfbd6de5b1b7d810082f544

SHA1
98dae06cbe884e5786c535fda17949b072b2bd09

SHA256
c002f9ed2b50c7d1a60d4782bc8c3e0709cbb9b1fde9df704f76f4aea4e1d642

SHA512
2fb628ad9a827f52516332eb55e50816b3c095d7e68cc6e9f5630c82bbb62eed4c1c1a04efa5329bab6037e82c6e11398889036404442b11d81137a2d123cec2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
d403e39d7b3619ee44719dbe64b56408

SHA1
713bb43be636e16b16b3ba21bdf7627225d2b116

SHA256
b0a4f8dd6648b6b19c1a51ce0e4bb93bbcd6dc8db2499e5f241157cbcdc51856

SHA512
694192edacf69c9366a461a5901bee240839d5210dd5a4793a9b6ec32d9525897b9547489c9c52c1a21588d84efda7217a8eb27eaf4e26a45a1e9e13aaa39a61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
f6f0535cfeac12a98423ce9b8682ba38

SHA1
95197d36886141d382cfaac4c4c0bba2aa353bfe

SHA256
c9e3507f5cee3f173f7ad0293eddd8a85434d4f2199830e1acaee6bc634f9aae

SHA512
7f8d923c7043e12743bf141aff7115a4d155cb07821c3e7f54701631ee35d8bc3257f36fb712f8b9c1b47defe35f2f4d0f23cfe0c4b5292f4ab443f4daa0e834

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
6d882e24afb44facb69829378ad5272e

SHA1
096cbd04dd2aebc84ccb3d826d6b5b90360c4ca3

SHA256
e892a51424c6421f5a2c0b6f64169c2e720795d58ed66fcd2a48d9e28fba7613

SHA512
7616b36f41b4e39726af3eb456f9d972501f8ae5448944fe518f1337a8c886c95f86e20ac7bec92d7124c558975cf82b5883c8bfa087ae944dfaad20620f2636

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b97fdf6ce1c9c3a2dd6d2d0cc2091faa

SHA1
439c6169cd2bd76013fe832f916f6f506f305778

SHA256
703ee2544052c63610a560f7391356b079e96233ef171b2876c3711ddcb60d15

SHA512
c18c9c2ea9dceb796adc9b4c61760b11a81d34d421e0a0b5203cb8c778c8db63875a05de9e8d0f18880c20e51bd146480d6ec4e68f8c18823db631a6b1c04a00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0138cfb3d21e82e8167694a3187492d6

SHA1
717c7955062faf0665eecf79c87926db873fabdc

SHA256
2028cce82b5a5ea2e11d477459b2bd609ed0c261b654f6396ae2d8528bcf89cb

SHA512
ef247d81c0e11adf216cf77d77a86533454244b35755dc524fc40c9eb148d0c7960ad705c3b9266ef5fca7b91ed085bd0b606bf6f80f654c8ab2345e5aca6d00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
07d36a24e35b0dd63d9937a22d178935

SHA1
08b11e2a5d3aed429e3289954d24cc358761b6cd

SHA256
3de87c4b1fcae8f3d91ea6467d66347309001ac963a09d72e06b59cfffee7798

SHA512
7ec40e7323f8e759e21334de6181b949bb3d7c6180f4ebce8b74cd71dc1d35157f0715f4b8f1e5a55617d794584fbdfeb9017f9658146287fbceb01ad01a6e19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c58c25990b086b3e1639474e7d2322d1

SHA1
822c8555021c572c9e29354abbab98e936148fff

SHA256
8f8fef68117c412356f22867e64a338e6f30e2b5fb6085b5124a1908bb460e99

SHA512
7f8d5eaba6e0690a25021edbd526177c89cc4593e4a2a2ae96f13e9476cfd5f762288f8fb6f7d681b8b641d3f81b155ed2eeca9ccf8f11839c1f38016359958b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a77a7a382924f4f73ed657524ffba234

SHA1
ab7df216c130ee9ac993ea71f00f199c1bf1a5ba

SHA256
7d1204eac4074db502ee1abe3497c350282e0254dbc71df98af08299ca1e9576

SHA512
4ea783e6c33798bc25d89d9205f2d04f152a37e46b781e7093844bd0995f635325f4ba0c10606eccd5bde67293ac10ed1d108ca1358e1a0ab4900b2cf0b4b1b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b7f9ce85f992833508db08306e8d0e48

SHA1
4ce5bcc781c374fe1c36c5bf7ff969538152cc25

SHA256
afa0b22f2dfb960ddef32e24caf3a9e639c164118acb2fbcedccb49679bb40ca

SHA512
9e48589694e33967f68f4c92e21649e3257b4f7eb0a52abc194a5c3f783fdd0ebe858d8d0b33d525ba6dd84417afa37e93b625c60d513d5991c96570e7985a4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
91e8e70966ea4a46d87e5b15c7ac97c2

SHA1
74db991be460135d9a9b20d915af09952d41d94e

SHA256
10e00cad39f44eb6a1945b9e56316bc12f6fb083ad102481c1bb20b5fb45f84b

SHA512
98623f1c4d6c49c12a0ed2c05f216726929d744f357ebd371201d642b4efca2710b0c6727bb4fc73b38dc4d36a4f40faa2915a615c3f452a306f9af82d142208

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
346993713d7eeaf6a77d89ee6d3b5fd4

SHA1
7ec890e117f58141ab67d9a531362d4aa02ded77

SHA256
c88ee86f8448bd78c7c5e49c407b820bb7ca4b1bc8072152fa091239c8f13af1

SHA512
66cc2ad76cef7a4193eda9840b1169508370cad1487a029bcec65ceb21da77403d291d15d82e10ad199fbba1b8919a6c1ec5353e71f9ee02e405754fd1fba7a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57c340.TMP

Filesize
120B

MD5
9b9b6082336eb37d1042edaa003087b3

SHA1
6071a9cb76a3f230de9dcc5a3d15592358262786

SHA256
3d3913f439934ab251421ad12763f5b0b90c6c708866c76c2cb48c58451c2152

SHA512
425335e8aa35451ba857ecc7fd18eaeb2a189e9afc0d0d26943b33a7db24012e5b227e1c0bd34f9f6c79aa74fdb8dcb80d019bfabfa3ae998a2622de642309f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
6688c69a600a6da910102c197328a655

SHA1
119f15f9d65e9ca2427a42c2e18ad5f4f169011c

SHA256
cafe13b1f21fffdebc87af656323827d13bdc1f5a797daaf32830b1b0d2fc25b

SHA512
c214a4a09ba87dd1e269e33ddf540691b1edb9c2ae0e129040cc18ce7eac118f5ee019fb7c7e7d10f44a61ee07bf29f900960d5c377323775cd2a45f5357fade

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
82d081ee07c06e2c8dde83e959414d69

SHA1
9cd130a74078412684159b9402d3b1ddc9d3b24c

SHA256
ae0a3a5a31f4a06e81c725684639fbedcaf680088236634bf1a665d0a7ea41a6

SHA512
e86457a2ec19c29bbf533832d692685aa638ab99d5bebaf54d4656f3c8ac3c8bbb31813d7206ce26cada21af84c54b21f7c1286fe1d407cce3c93fcfab61ccf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
0e581fdc8b6317585b655860f6c727a5

SHA1
81a7ef69c612ca40553b83d113eb7a07e9c1f8b4

SHA256
7a7a1590107c293219c4278451594a8bde69571ffdb2d250ccb817398d8e9c70

SHA512
5e3c4c4dba0f89cc520fb1c83886f5710120f77d8ea3b80a05f0dd89afc2ed1b602899fdf325281529a56f2fffa25979be7230e3ffb7c2eb7541d2ac01aad1b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe581558.TMP

Filesize
96KB

MD5
45d8467c17a9445b31704272103f3938

SHA1
6340d3dce582e7d52b017215bb8afd25d2d8026d

SHA256
e506d8733b7017be06aed99f10bb596176255ba0841a6daeefd8de7963fc036b

SHA512
86901c01166a635d76db04b637939d9d48f6e05a39f836dc5d444d1ae4ffb1b36ac2f945a1bda03f237e6ddbd99a8898f8cf9489633d36f8b772c6bac89d75dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit