hxxps://files[.]catbox[.]moe/g3slin[.]png

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2023 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://files.catbox.moe/g3slin.png

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133413276069572677"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000bd5951179be7d901daf170199be7d901c8ea681a9be7d90114000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4984	chrome.exe
4984	chrome.exe
544	chrome.exe
544	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4984	chrome.exe
4984	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe
Token: SeShutdownPrivilege	4984	chrome.exe
Token: SeCreatePagefilePrivilege	4984	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3116	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4156	4984	chrome.exe	33
PID 4984 wrote to memory of 4156	4984	chrome.exe	33
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 4268	4984	chrome.exe	90
PID 4984 wrote to memory of 904	4984	chrome.exe	89
PID 4984 wrote to memory of 904	4984	chrome.exe	89
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88
PID 4984 wrote to memory of 3644	4984	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://files.catbox.moe/g3slin.png
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff24c39758,0x7fff24c39768,0x7fff24c39778
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1860,i,5232740796254622245,12729484101928834207,131072 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1860,i,5232740796254622245,12729484101928834207,131072 /prefetch:8
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1860,i,5232740796254622245,12729484101928834207,131072 /prefetch:2
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3180 --field-trial-handle=1860,i,5232740796254622245,12729484101928834207,131072 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3156 --field-trial-handle=1860,i,5232740796254622245,12729484101928834207,131072 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1860,i,5232740796254622245,12729484101928834207,131072 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1860,i,5232740796254622245,12729484101928834207,131072 /prefetch:8
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1860,i,5232740796254622245,12729484101928834207,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 --field-trial-handle=1860,i,5232740796254622245,12729484101928834207,131072 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 --field-trial-handle=1860,i,5232740796254622245,12729484101928834207,131072 /prefetch:8
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3560 --field-trial-handle=1860,i,5232740796254622245,12729484101928834207,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:544

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
14d5133bca31248be6c6b9d1f8a7adba

SHA1
3aa16e680cf020da07ce7fe7e4df8457ffb3f2ca

SHA256
dff22865aae2465a50acedcc8243f9ea6dbce3228c63078a802068f4cacfaa3d

SHA512
cd4f5309ba8af05cbd14d49b2da5291d0da3cfc621be58064c43fa11fd72065db96cb0479b2c643a6f2dd1982734a9ccd7acba5a4a667fb72e4a25d88f04a39f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
347a813c92c4fd9f8524c79c1945ba55

SHA1
8d309b361e2ddf0bac0fd81338728b1c79fad63e

SHA256
4b646da32ab483d3794a5cf0019b8db623835ee3017124b12b75ba3b98f59ac3

SHA512
7add99c1a621b62031d62c151341983e34f3821e936e4c27f4f43ff38694ae7f0bb83188f18e0cb76228ac595764a3056779f8d803bc37b5e8c1fc5e5e237d09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
af9283e9576c0e6b6ff03a895396fe28

SHA1
afe674a3468bca5d5486fbe24359cb161e153d02

SHA256
79e5b5bde6c6a93b487f8805e7e3598d3d1590b100d6c62f181c0fa4d2259b81

SHA512
84e7946bcc677079a935ea6640584b5f6061c0a314f14474c604b94a2dd39f1caa5528c99d85d55ff11da7a8ed604c214792a338ea5a65b34988a00d8415f86d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d810fb19460fbbaf4168826045edde75

SHA1
e65183965098ea4a142636ec59710f0d7915b7a3

SHA256
1c815fe474ef718517eda36617c86d0695f731def90120823a2200c318a0c3cb

SHA512
1fa23ad336c382a09d8c44906e739b9208b52be3aa686853ed4f99fa269767ab9ae7dfe1477024a1223387fff5e41fad60c0a2461568739232da5cacdfa68c28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
7914c6b2ce8b6447931aeb835ffe08f3

SHA1
bc99f462fc8bf9a15bd74e20ebb6fc61755e4872

SHA256
191612bb997e4c348979044c49800fced82507f3335dddd9cb9fad0661c95614

SHA512
790031989b60a157c0063f82664e1e30cfcc2ec5ed71f412efc3f5cb594cfad8e682904d7b3c981fe96394aca96896f88002bb8c6a1447caed9991212827a9ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
108KB

MD5
a418b5827107a35bac49c598e1f2c6dd

SHA1
106d21ea624018be14757c926207f189d9dc055f

SHA256
87ddd31cb95964a8a256ee39e83e7688daa280fc22678ecc38ab053a28f6ce4a

SHA512
14c3dc2c3501e07e7424eaed7dd1c65f81ed44e202bb0586652eeae213ddb6fe524cd1cdb4e04f3fb7201f959f4f24d75739fa1a43556ab389140eb9363bdf2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58073e.TMP

Filesize
101KB

MD5
bb6db3a52fac5891d9a14e683dc6e8f4

SHA1
5b77c2c8b26600f21813a35f2d7d97b93a6071b0

SHA256
7c081c5f04bb929f637ceda52e7ab894f20bc9e46b4315a5f26b287abb750830

SHA512
7f8cc8c61e6609d3010a4e34b4f8be5b57de39e5a4f70ee809ddc8c26274f563b7a83223060f83016c14a066b8e21ee5793ced9d889b70cd3a2651ab254f8bd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\f965183a-4501-48d7-94e3-7eb29fa61f15.tmp

Filesize
216KB

MD5
54aa782a4eb9aebe27fa483bb77e6338

SHA1
78038db2a5abad6a739ad127a6577cbc410bc18b

SHA256
1d91db4f1a80d3d9ffb8bd752dd4749169d5743ebab0c9c0d59dee6f3821fc76

SHA512
4f5f0730993e143e057b5e004ea01e606fb20c1e8aa69ba4abb36b76f61de0ddf07df6dd1a4f1f38a0ec255e86545d34bd904d3deb6ecb62b41f04b3e586eaaa

Download Submit