hxxp://installw[.]com

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2023 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://installw.com

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133378010619843943"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
4920	chrome.exe
4920	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 2728	5016	chrome.exe	82
PID 5016 wrote to memory of 2728	5016	chrome.exe	82
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 4388	5016	chrome.exe	84
PID 5016 wrote to memory of 972	5016	chrome.exe	85
PID 5016 wrote to memory of 972	5016	chrome.exe	85
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87
PID 5016 wrote to memory of 1236	5016	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://installw.com
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff04a29758,0x7fff04a29768,0x7fff04a29778
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=1860,i,16045217776998886170,14512470129189844633,131072 /prefetch:2
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1860,i,16045217776998886170,14512470129189844633,131072 /prefetch:8
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2764 --field-trial-handle=1860,i,16045217776998886170,14512470129189844633,131072 /prefetch:1
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1860,i,16045217776998886170,14512470129189844633,131072 /prefetch:8
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2772 --field-trial-handle=1860,i,16045217776998886170,14512470129189844633,131072 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3984 --field-trial-handle=1860,i,16045217776998886170,14512470129189844633,131072 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1860,i,16045217776998886170,14512470129189844633,131072 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1860,i,16045217776998886170,14512470129189844633,131072 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2632 --field-trial-handle=1860,i,16045217776998886170,14512470129189844633,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
66c2a7df0f308a2c0c3a679208501867

SHA1
21e0003b9ceb519f557941ddc956172e09116a29

SHA256
900cc0120de16547dfd3599d92216d345b68c7ac9ccc2ade2a20a0e229db15c2

SHA512
dab599c101112911aaf7e014936b2be3b45c68ac19af4261c793c23bcfd60610b53cdcdf63e3728518b83685fea282ad8137775e0ec52fbc72c53eec23aca08d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f8c6af3b34c2ad00ffa639e3846f4d13

SHA1
b9f3e833d02f143ae65b2964822316880b35f012

SHA256
b002cdcb395ca8724b4d8cdf466a941b67d13b745485ddbb8d485bda07465e74

SHA512
9f43ef47eca8f7ca28c98f29da9a24df824d78dda193a5d0ae6d9bf2cad2fc557eaaa30fa1b3d8a8479c4b9323bddeae49e1d538a34a8c14941203280f83bcd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0899f0beda12eae16bc00610d857dae4

SHA1
c08a812a4a2b07722bfb15772b26589a98ee6211

SHA256
6e3f5373790bc735f15653b822a17e71a35cad206352dadc4af5ecb157d0e0fa

SHA512
15c342d4b5b82e60dbc3a15c32041fb6216468bbaf7ec5594ac55651be9041e560b4c90936a784dfe62e0c81c4c9733976d5edc4356b4e28a1ec008d663b3310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
58a624646529219a5df0f56009c64335

SHA1
683d1145b86bd1524a6c1751fbf8f713b931d944

SHA256
0084c0e025b301cc8c655804ca7212452879a263b087c43117787709cb38f58e

SHA512
d085501991a96efe5b371c22a8a67547d7db7de8bcc3c82f0c03978e15294b61b5248ad8e0d899f8a2e713b9cbc84c0d15a2dc5f6ea4c0f0957c3845295e278d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
5e9393b09654ce3b4f624ef0d2fac3e1

SHA1
ae71602177b9992928fd4894956574a7f97a95e5

SHA256
be45bc918282788197c728f4df98f21cb72187cecd79c5bb27fcecfe41a0e3a5

SHA512
d77acb1fc5faf4697e6189f22e3817dcde6c221b32445b328df6eae9e94923b275e931646f7daebd44e42f98bd644a63232eca25b8f836d5acd143f482c58fa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit