53f4d37cbea19d5d15b5db048414c368dac0787500db12418a78662d33a92cb7

Resubmissions

03/08/2023, 11:07

230803-m8ec4sch93 4

03/08/2023, 11:04

230803-m6e7mach86 1

03/08/2023, 11:00

230803-m4czgseb6t 1

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2023, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1click.cmd
Size

2KB
MD5

a53a00da8b89ce467a121613cd56d4e4
SHA1

e7a50d4f41b500d6066a6f3dc1c310102e6a6c85
SHA256

53f4d37cbea19d5d15b5db048414c368dac0787500db12418a78662d33a92cb7
SHA512

84addbd6375e186c1abc828a99a2cb852a8d744734096c952add127439ef1066036a3ba501bbe5288e8bc791b4c9391e1b39831d69051fb1407237a091d1551a

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133355342904024833"	chrome.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4808	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3708	chrome.exe
3708	chrome.exe
264	chrome.exe
264	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
4808	EXCEL.EXE
4808	EXCEL.EXE

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1760	NOTEPAD.EXE
1760	NOTEPAD.EXE
4808	EXCEL.EXE
4808	EXCEL.EXE
4808	EXCEL.EXE
4808	EXCEL.EXE
4808	EXCEL.EXE
4808	EXCEL.EXE
4808	EXCEL.EXE
4808	EXCEL.EXE
4808	EXCEL.EXE
4808	EXCEL.EXE
4808	EXCEL.EXE
4808	EXCEL.EXE
4808	EXCEL.EXE
4808	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 1424	3708	chrome.exe	96
PID 3708 wrote to memory of 1424	3708	chrome.exe	96
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 4076	3708	chrome.exe	97
PID 3708 wrote to memory of 556	3708	chrome.exe	98
PID 3708 wrote to memory of 556	3708	chrome.exe	98
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99
PID 3708 wrote to memory of 5080	3708	chrome.exe	99

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1click.cmd"
1⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffad6309758,0x7ffad6309768,0x7ffad6309778
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1404 --field-trial-handle=1856,i,4518112232586448447,8237931752723270002,131072 /prefetch:2
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1856,i,4518112232586448447,8237931752723270002,131072 /prefetch:8
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1856,i,4518112232586448447,8237931752723270002,131072 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1856,i,4518112232586448447,8237931752723270002,131072 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=1856,i,4518112232586448447,8237931752723270002,131072 /prefetch:1
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4704 --field-trial-handle=1856,i,4518112232586448447,8237931752723270002,131072 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4744 --field-trial-handle=1856,i,4518112232586448447,8237931752723270002,131072 /prefetch:8
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4932 --field-trial-handle=1856,i,4518112232586448447,8237931752723270002,131072 /prefetch:8
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1856,i,4518112232586448447,8237931752723270002,131072 /prefetch:8
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2100
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff790157688,0x7ff790157698,0x7ff7901576a8
    3⤵
    PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1856,i,4518112232586448447,8237931752723270002,131072 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5416 --field-trial-handle=1856,i,4518112232586448447,8237931752723270002,131072 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3512 --field-trial-handle=1856,i,4518112232586448447,8237931752723270002,131072 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5708 --field-trial-handle=1856,i,4518112232586448447,8237931752723270002,131072 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3844 --field-trial-handle=1856,i,4518112232586448447,8237931752723270002,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:264

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3416

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\New Microsoft Excel Worksheet.xlsx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\1click.cmd" "
1⤵
PID:2348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
426be0ccc2ddcacd9e52045ecd63bd69

SHA1
8203b79956eb1f664a1cf2497a527ea889ad072c

SHA256
380dd7b12008a7916048763b6477b5eaf26fe5f22bc0b77448dd14831c4df189

SHA512
ce829e75c0795c4cc8a0bf723074689b22f3fb5a0d9c920cd8c251ba70d92972b8631537354fec6cc52599b13256aff18621957ba2b74e9d62c95658576d5075

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ed92a384ad0155fb8bb29167e426319d

SHA1
6a018afcae9a7b45f88657b1d180b14c9fac4a1c

SHA256
f122ed76d0a71a5e5371d04039586e86abc957e13700a9899707c4d0fee26134

SHA512
30b9b9198b2a05939c3391d7adf8927244fa2f0861ae19ca4f3fc51ccb7a6229fd13665777fd88dce9d53bbc2ab8a0d530c8f5d67231b2a6b4daae942506f8e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
94841558ae8010dd778bfb9a600cb3e7

SHA1
9f9e55d3f45709722a6fbe3f9e57967d5fcc6256

SHA256
a6b39b4a727ebf669845ebf84505438e9ae2dccfdf2c0441a9360f9c8a1af64e

SHA512
064b30e267735aaee237ad7c6e5348f87ca350906271a74226211581eb8e9bd54ae653090b9a75d6c55e4c4ae16666541b9788817cf439fa757cead0af5ba7cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fa6ed9f9da459db387d3acb37bfd8e6f

SHA1
b448a8ad293887475c13c8ec66510c575dcb8bae

SHA256
57aa55697def27776843e2cc72e9cfa3a9c98a90fc4f5c2984b8ac48f015f7ab

SHA512
f350ddd645930f2137a238468a18d1fd01855243b41d596176c972fec6bb953b2a725389e7d84623a7874feda986fd3c699335fccdfbbb0c33ac5ba9308a4690

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
08a83d77e5d53502ecce0f6e323b22d4

SHA1
8a8a0ffb3c72ec6866953a707b3ac5fb3f48a990

SHA256
96a3ffb8f4fde3bb94d355bc1eceb1a9173f8c2de39f99eaa25c866371378706

SHA512
032a50f30301b5ada440187b10150159157877151ca95b9377f3a687b92e02c635e7a715d9be951fa51b8909f42be525604ed92659af246218a03e807d2c26bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5bd6d4d291b98ed251f7f827dab6a4e0

SHA1
e9e5fdfad2d20f3a0d3fd8257b8ccba4b18accf8

SHA256
3b1d733a7342e974f3967b2a984dcb8891b11742c4037ce9af40d163fa62566f

SHA512
6c8e0ce6b760aa4e71765b1cd8ba2f2a886c7c8487310895f5280d3d4f157eec2d08b888d7da3e26d9ff566cb6cb65b051ff908fa5f403b84e47a64898a79f7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
09261e01316ab09ab04ebc9500ab94a9

SHA1
bc9b87904a4b4cada3454d0da90ead3dc8d8fe1b

SHA256
5a9794820c4ae79093dc064cbcb27a9b969f8d319eeb0a02c3322f7dee9a36bc

SHA512
6da022a5dcde9ff6ed6b82e3afc91029d926d77fa3ce4c370c1e402d62ebf5421638efaadf5acde38b78bb9343a2e24d2845bca0e83f350c674f1c408d778c61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9b998f3d0be228456d6406d14a176475

SHA1
4f9850d4401dff6dd29fd0aa3ce8cba389347cc1

SHA256
5a87f4563c0ee6f1836098313e987332a348bbe7b2571885f33187d31dde8885

SHA512
069cec9f4df03c4856557ac0e8ab3d491a7e25090df7cc2e78b989c13fa0613912f6ac64486472e2a0f587bef4700b3b62eb293c3dabbc2955d1b722baaf2da7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
589400efacc82e6b44baa9ce59a21f42

SHA1
48a4f7520d6633fc6fe876038d333beb1f4590fa

SHA256
3e8d57098b9237f5100419ef19f5aa2752bbafb7a03b968121fdcac9c920a152

SHA512
fcf489a16c535f6b087fc4060a2c4b0cba7006cf23926dbdf2d9c8c76f204b86e286aec2162db7004c60aa8af575d06558b3cc234dc90af5e24bbc36dc313b9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4681f4e2108236e3c1ca1a0b6a4d2b0b

SHA1
40ea8a2daf1e728b547fc3863045fdc691a920ba

SHA256
8035983b029fbb7eaeaf8372f15db0b1ddce40d2bb86d3d1157696ffa065113b

SHA512
b56a14de614a0abf5908f4240e8d3f271b8e5f0b0d7f4bcfee2ad6d8fc372585621dc7c8f6141b282ecaf9fa317589a6c8171ed4a0de0fee809a556c392c0bc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
040002b00a8cc932de203c319dd3e4ea

SHA1
b58a27e94270939199ed4e6b7b0aa23cbbec86a0

SHA256
089c111021a762657e1ad1673be8d27033ccf8772602bd19a01aa6ba38e18af9

SHA512
2b8fc1d3530b6193ffa928fcbbcf6e047e11c9bce9e45d0ce1caa42b413cec0f248078b27af86970fd80cbdab6145a0ae3ba3584ecccdfc3d2f42327ca5ed1df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe587fca.TMP

Filesize
48B

MD5
495f4a75c01dd8196e04d81ed4784bcf

SHA1
b4d30e6945095ada2a177e749f08e48721f29524

SHA256
38c3e5f424d236e79b0e03bb66037daa7c4ee53a951d3c76a250663f19934a1b

SHA512
06c457c4cf0ff141229dcc3fadd376e3d8348c3a9c146201c54633ff774409479719a610448ab6816ad8b03e97d5159ad42e430f126a372f7333e02a3cd06235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
176KB

MD5
66f7e82d980d05bba19d9a546e5f683d

SHA1
612c8e5b9e6b918d8bf92142e8660563c6c39d7d

SHA256
a41acc4d75c9d6c8b426a535a3be0166b521e17ebfc3bd311211cad7230c5167

SHA512
ec727e415dbacd56c38c46b058075e1229ce3bfa8981c06c49a35dc10d533923fb376b8ef2f5ae628db5064d6a66142211b1a0ab2a2eb83d180b1e91873027f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
267B

MD5
b5f6ab3e70e3f408e206fa7c12eafa42

SHA1
4edf76de16ceea77ff6ba3d37624c765fb6d523a

SHA256
6cf38e281a62ab5c6544f7163dd8cc98cb637abd55762639c03c12c7d1c287c3

SHA512
28cfb1fae03fabf8e842e85f7c04cf0429fd24a69b8b3052a56481e44727837329195bd14199296fda0803b1ec753b899924e5177360674ca819bf664d6b77e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
725B

MD5
98d63a051d059b2ed63cc38c7e822d17

SHA1
e09dbdef52b163f52a318f5cf03e21f7d03e8a22

SHA256
5fe0f475a55c8772aa8a77afcc5960b5aece5896470859845aeaa6030aa1e0f4

SHA512
f7d9283370a4cabe02f5912876100ec103fbd5f1c543ba96cd6f1c16f595999aa8be17254b7531f3176b30cf966814ca3660c10be15715d554af9f306fbfb128

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\Desktop\1click.cmd

Filesize
2KB

MD5
a53a00da8b89ce467a121613cd56d4e4

SHA1
e7a50d4f41b500d6066a6f3dc1c310102e6a6c85

SHA256
53f4d37cbea19d5d15b5db048414c368dac0787500db12418a78662d33a92cb7

SHA512
84addbd6375e186c1abc828a99a2cb852a8d744734096c952add127439ef1066036a3ba501bbe5288e8bc791b4c9391e1b39831d69051fb1407237a091d1551a

Download Submit
memory/4808-464-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-476-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-465-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-467-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-460-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-468-0x00007FFAB4410000-0x00007FFAB4420000-memory.dmp

Filesize
64KB

Download
memory/4808-469-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-470-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-471-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-472-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-473-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-474-0x00007FFAB1CD0000-0x00007FFAB1CE0000-memory.dmp

Filesize
64KB

Download
memory/4808-475-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-466-0x00007FFAB4410000-0x00007FFAB4420000-memory.dmp

Filesize
64KB

Download
memory/4808-477-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-478-0x00007FFAB1CD0000-0x00007FFAB1CE0000-memory.dmp

Filesize
64KB

Download
memory/4808-463-0x00007FFAB4410000-0x00007FFAB4420000-memory.dmp

Filesize
64KB

Download
memory/4808-496-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-497-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-501-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-462-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-461-0x00007FFAB4410000-0x00007FFAB4420000-memory.dmp

Filesize
64KB

Download
memory/4808-521-0x00007FFAB4410000-0x00007FFAB4420000-memory.dmp

Filesize
64KB

Download
memory/4808-522-0x00007FFAB4410000-0x00007FFAB4420000-memory.dmp

Filesize
64KB

Download
memory/4808-523-0x00007FFAB4410000-0x00007FFAB4420000-memory.dmp

Filesize
64KB

Download
memory/4808-524-0x00007FFAB4410000-0x00007FFAB4420000-memory.dmp

Filesize
64KB

Download
memory/4808-525-0x00007FFAF4390000-0x00007FFAF4585000-memory.dmp

Filesize
2.0MB

Download
memory/4808-459-0x00007FFAB4410000-0x00007FFAB4420000-memory.dmp

Filesize
64KB

Download