3f9f090495745e9e0dab12b90f3f327c4b440ed528a12bf2ad9d9e28f75492f6

Analysis

max time kernel
132s
max time network
152s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
28-06-2023 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VSMA2biL.html
Size

2KB
MD5

d4822f078c08991bc098f36191dac13d
SHA1

81d75fc6905baac0e8960fd7175b96eb37d8a601
SHA256

3f9f090495745e9e0dab12b90f3f327c4b440ed528a12bf2ad9d9e28f75492f6
SHA512

d7edab496d56c9ec7ced99f591d54aacbe30c2bb7fdf41ebe877291de0e3d318a1dabe2f72a66a5a51ccfb479ed527576ad4848984d67423f561f0b764d9cb2b

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000007d43243bbdc854aae23aa742990f40b00000000020000000000106600000001000020000000650b69aba2d6d1deff4dbc516ce7d96bbec138603eaea5bfb5e59bfbd9cdf869000000000e800000000200002000000060ab18d1f242daea7cc4fd8036860f0d9ad74b40b0692f8cf2d8a84c2c8b3c7520000000d30328e302bdebdb269ba1597161257333b56ab764a9ab2b270f08d198f6591f400000008ee3fea6c89d8783abeffc11cf0a846e4c581e4605ff7de80c6f04ea33ddd1334c6567559d2315586dd531e679c133c7d61ba0525482e8ad7e8c9db127070701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000007d43243bbdc854aae23aa742990f40b00000000020000000000106600000001000020000000af14757e8fa7618d96ae0e2d357ad1c58d3bcc9021c2a614bbbc4bd14196fbdb000000000e80000000020000200000003380469bb678d779b35b83a07b75a0a8b5d0883c78c1aa98d1ecee76ee825aad900000001f63219e5aa21373cf8911f071e06f381698ca1c913313a5d29efed82505260a9fe76133e65e219d60bd4be9abda1e04050b60bb3aee4e22835bf0a52d07ee9c70b7d5adc78adc9cc89b5fd2f210ac04c07e2782f37c984d5c7fd0f0a30f67fcff5834d3f417210e77c0a62abf020be49776fe519a0a652b4e682a501eddca897557e6c69170c54976ae1e34e4f6647340000000a79cd47975dbdc59255760c6f4884b33040b9ef9f54c4afa769b19b77919e620495ce71b8daa9aefaab28a9334696434f53d2f535643f17be6554d2eb6736ad4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 808f71c308aad901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394753216"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = b0ed60c308aad901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://t.ly/CLBs"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F69F1761-15FB-11EE-86E6-52E16B800929} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
928	chrome.exe
928	chrome.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe
Token: SeShutdownPrivilege	928	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1372	iexplore.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe
928	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1372	iexplore.exe
1372	iexplore.exe
644	IEXPLORE.EXE
644	IEXPLORE.EXE
1372	iexplore.exe
644	IEXPLORE.EXE
644	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 644	1372	iexplore.exe	29
PID 1372 wrote to memory of 644	1372	iexplore.exe	29
PID 1372 wrote to memory of 644	1372	iexplore.exe	29
PID 1372 wrote to memory of 644	1372	iexplore.exe	29
PID 928 wrote to memory of 1424	928	chrome.exe	32
PID 928 wrote to memory of 1424	928	chrome.exe	32
PID 928 wrote to memory of 1424	928	chrome.exe	32
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1620	928	chrome.exe	34
PID 928 wrote to memory of 1212	928	chrome.exe	35
PID 928 wrote to memory of 1212	928	chrome.exe	35
PID 928 wrote to memory of 1212	928	chrome.exe	35
PID 928 wrote to memory of 1816	928	chrome.exe	36
PID 928 wrote to memory of 1816	928	chrome.exe	36
PID 928 wrote to memory of 1816	928	chrome.exe	36
PID 928 wrote to memory of 1816	928	chrome.exe	36
PID 928 wrote to memory of 1816	928	chrome.exe	36
PID 928 wrote to memory of 1816	928	chrome.exe	36
PID 928 wrote to memory of 1816	928	chrome.exe	36
PID 928 wrote to memory of 1816	928	chrome.exe	36
PID 928 wrote to memory of 1816	928	chrome.exe	36
PID 928 wrote to memory of 1816	928	chrome.exe	36
PID 928 wrote to memory of 1816	928	chrome.exe	36
PID 928 wrote to memory of 1816	928	chrome.exe	36
PID 928 wrote to memory of 1816	928	chrome.exe	36
PID 928 wrote to memory of 1816	928	chrome.exe	36
PID 928 wrote to memory of 1816	928	chrome.exe	36

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\VSMA2biL.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1372 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6159758,0x7fef6159768,0x7fef6159778
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1204 --field-trial-handle=1228,i,1172783335102489411,7422887831033965892,131072 /prefetch:2
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1228,i,1172783335102489411,7422887831033965892,131072 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1228,i,1172783335102489411,7422887831033965892,131072 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2344 --field-trial-handle=1228,i,1172783335102489411,7422887831033965892,131072 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1624 --field-trial-handle=1228,i,1172783335102489411,7422887831033965892,131072 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1476 --field-trial-handle=1228,i,1172783335102489411,7422887831033965892,131072 /prefetch:2
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3688 --field-trial-handle=1228,i,1172783335102489411,7422887831033965892,131072 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1196 --field-trial-handle=1228,i,1172783335102489411,7422887831033965892,131072 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4008 --field-trial-handle=1228,i,1172783335102489411,7422887831033965892,131072 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4032 --field-trial-handle=1228,i,1172783335102489411,7422887831033965892,131072 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4500 --field-trial-handle=1228,i,1172783335102489411,7422887831033965892,131072 /prefetch:8
  2⤵
  PID:2312

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1604

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x578
1⤵
PID:2472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\96F22D998032974D72C1833EC826B163

Filesize
503B

MD5
a7a2041917da90a8df9d31fc78184a90

SHA1
7ab7e3dea90e798e87b1856809b42c00e901fdba

SHA256
c95abc30100b6e22af34745a068d0439c6ddf225535147c8baa1e224b7a94624

SHA512
704e241c90a4a5d33258b7e1f66f3071729fd25ca297175432a8bc5b87caccdc9cdd05b7cda53a78039aeb797aba838e912ce0fcb64b8ed60fecd4a32dc8e1aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
c0d84e6feddd6d2176ec77d675843b0c

SHA1
696af20b595275a05965f893f3da0b37a6bb6cfd

SHA256
b80d720465d9d9c6e89f6caab3e7eec861aeefa6eb6d1197d04783c28a2ea515

SHA512
c51f248c640453e6c1568e88b428ce925c8106927d52d4c1d38b475009b4ad8b1fa87fb16e1bf284188ed86b61063c3ff2fb7eb082a3e302fcf7857fa8c26e54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
157d9ba6fcfbf2798818ab0d037ffa94

SHA1
2c59b555fa288365d8fcbea3990c215e901f4238

SHA256
356ed847fa1c7fb45e402b41284d8078b92ab1e28df9c8f59216407b9847ce58

SHA512
b4ca78283b4b01939451dad207a55f733fcbf092b42e9c23f05ce2423488307887f28ea087a1c1a7e948475b6c19389db53b9834e94e2910709565f418222330

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc5fe4a15581d2395beafb1cb4c6728d

SHA1
8dd83caf1ac6728979c74b0bd6d0de0eb1e2b1a6

SHA256
3e412f6ecbfd9a59466651f17d35ceb8940ff18bf8250153eea25e5e0ed0e89e

SHA512
563bbe6d9abbfd2658a802a754023c87bede1bc0799e025288132b0b579ed46a3bf5a5bfa230347923e35f419380e6b65436f77692c0647f0db2806deb820a26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f2c75cc6848c7e63e7f59549f941b233

SHA1
a7ddf13a0770e717529befa49f95aa0b55941140

SHA256
8d87675cfb06b6936ccf35e0c44c27a50381b7a52819fbccb3261ff8ca8bfca6

SHA512
ef9fcf4abced2cb136d38b3122e7f5ccd384c2f8a48785842df9f0aa83ee2cd1efb9fbe3bae73b1a148bd56b06e8e76ec91a945cb413a76c0de0da3795b4a3c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec575f72649384263369258abc97b37e

SHA1
eaf6c6b77c4d77a01e256d789b4424002ffa93b8

SHA256
ab00459f075631b2a2c02bf3d46e90cffc511a7a962a919598a9de7f4453875c

SHA512
1a67b9cdf3dedc10eb6373635438cbd07f0a0ba4b4c1a088387ace6109a90d82d333508436974c49fc51a4a4e8c071dabfad3afa0d1a647343f15b6d4dcc842c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab8c0704c749ca3f055e42ba691a8f25

SHA1
a0dcca99d7b645b0af454192608f3e54a63439f2

SHA256
dd93b012f691f8f05beb454d0c6d31313bccdb1a2dd338b88bb69390649a1da6

SHA512
787a43a8b7c39d22c2ab2cd442d6b1faf6f48a36b221f6162cc0d9e30d0adabb30259ceb878dfe0d24c902a15418495fdd127ba45bdcbf02b75c22f3b4d4473d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08dd38b4480b06abfde3790f0d98edf1

SHA1
15e5be8ab12d5b6c72576fd492e85ae675837dfb

SHA256
ea1bc462f228d28984fc8f847eeaa0f15f744f7944ad38b37889278327693189

SHA512
bbdb18d58fdfc5859f394b2c1221b4736752a53e369bc9b3d2a9a99730fa82b810f72302f8c1b17552c93d5939dc387849f3361652188ae895f2e4159321918a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8c9bb811d32917bed4c2e5d2640f8b0

SHA1
eac130003514e06fbaddf2bc04434a9764f74ab4

SHA256
7175d5e02a9eeda0069cbf258c0d64f89abfda9d7eabaa61a56fed8df4517fb3

SHA512
f357145142f6c712183b9a54eaad1f23700b11b23dbaa32ccd0d8cdf568a284743ed24423a7f88b4d8da5f2340bf46feb51b5a3f2374631568f53a0bdb976ca0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc8b752e79b191e7ab166fca8b93931f

SHA1
bd56154110fc361683cafe2d99a1c8a380b636e6

SHA256
99da28a7326e090da5fe06a35ae6fda8548a9101411edfc7a5c4ad6982928a34

SHA512
2cdc2307f97f9fb466ef24e2ffacd4289d3c13143d240d1412cdffcb3ece2f2ce6fde7bf8e1b39296b829221c56d4093c5376685ca0034f207d3ffecc5c498cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9492f2a789429322e2edadf54caa739d

SHA1
1b00c400ccc6040f542d244a8c64e7516af76b53

SHA256
f5551f9223a9c0cf28fee6a4cdd9556d8aed860d786e035c5ef8d1af3f392b54

SHA512
00bd9a16e09dc1d9d96c2db837b04d5f330d1228f4ab9ab16fd6d993700ccf0df981b17e017cd0828f2ea19e33f80a5eaae9b01630abefb791683c7278478452

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
015a318fa17436a9b0a9a77d189f1e5c

SHA1
243fee51e8a38b7cca1e3b19c8b6afac2e5f3d6e

SHA256
f9f9869b2ebcfadc8b71c1fa6542d7746d680d6d7fbbfc83460f2cbbae6e04f1

SHA512
677dbb123bb7f9fb3becd0b951cfaab9426854950934ed021f1aaf3166730407a091227887504248a329d3b59f102bd9702443634c952036d67e5363d891752a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
015a318fa17436a9b0a9a77d189f1e5c

SHA1
243fee51e8a38b7cca1e3b19c8b6afac2e5f3d6e

SHA256
f9f9869b2ebcfadc8b71c1fa6542d7746d680d6d7fbbfc83460f2cbbae6e04f1

SHA512
677dbb123bb7f9fb3becd0b951cfaab9426854950934ed021f1aaf3166730407a091227887504248a329d3b59f102bd9702443634c952036d67e5363d891752a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\96F22D998032974D72C1833EC826B163

Filesize
552B

MD5
eeb6d80855dace5b2df827c849a3fa68

SHA1
b46c3e1f872b9b2387fef6d00d5155247db9787e

SHA256
b95b0e4b07a1b1daf745d4c22ebc9e5f336fd2afa88a9d30fee3c998e5c9117c

SHA512
10836ccb122d677dd5d3d0869344f169e7a44737b1c3c3bef687f7dc7895cc63e23fe482bbb98b36e34b336e2b2835f05ac327102f016bde0f7010ab07975f91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\nas2q37\imagestore.dat

Filesize
10KB

MD5
15479b55fdce6ad2fee3335399756083

SHA1
05af9257ec6477bb810bd6c54dc6608345886d13

SHA256
eac79986a13ef6163727f8fe60a66c7a6d0d9d1edd579c8e02a87a1dc9006fbd

SHA512
82ba8f972e1683ac831fe7eee307557da97c1c9231924b4b042832f5129a86e1287376ea34e73db875c9edc8420fae767c6c824ce6aecbf27e9ceaec19285774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\21EIYER7\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LRU276X6\favicon[2].ico

Filesize
6KB

MD5
72f13fa5f987ea923a68a818d38fb540

SHA1
f014620d35787fcfdef193c20bb383f5655b9e1e

SHA256
37127c1a29c164cdaa75ec72ae685094c2468fe0577f743cb1f307d23dd35ec1

SHA512
b66af0b6b95560c20584ed033547235d5188981a092131a7c1749926ba1ac208266193bd7fa8a3403a39eee23fcdd53580e9533803d7f52df5fb01d508e292b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4BC3.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4C63.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF5094BBFA618F885F.TMP

Filesize
16KB

MD5
2c794be875c5df3fe9db325b85171093

SHA1
0ae06784ddbf9e8a4b4ee4be032ffb69061b3c31

SHA256
e531752ef0e684e010fa55c98522203dd0bb097fb69863f69e220d8ea1ab603d

SHA512
d38682e4b8c259e1721acc6ec3abec66bb58601b8c8e9601efd14d49730f3b4992e5d56b7a25353526f2f8c947e0924006b0ba76458ebdb2dd790be7e38bdd59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AGOK8ZXZ.txt

Filesize
608B

MD5
99dcd18795f33a4ae8f42de06ea3b37d

SHA1
72cd04ae7c5bd476fd6e4f5556d0a456021a504a

SHA256
5617a52f1ce4582c81202966e3f3eefc6ae4ffc9fe0f56832de0834c5214de2a

SHA512
789743cbbff897248fae8d1701d523785d0afe0e9894337c32f4918c576989cf2ae56342da14ea2acaa329d349d01e9f26b08b1cedd6c5a8d732e86ddf663db7

Download Submit