588178fd381b8616491f4830aab4c0520d83b2bc02b4484ec8a484b11923ed0b

Resubmissions

22-01-2024 18:59

240122-xnavaschg6 10

22-01-2024 18:56

240122-xlm2vacchp 3

22-01-2024 18:52

240122-xjdemaccgm 4

Analysis

max time kernel
134s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GTA 5 Web Cursor.cur
Size

4KB
MD5

ff6de1c4f3bc8fec42883a51f23c9df7
SHA1

3297b0be81fa0cd2828412d625e5655b3c12b62d
SHA256

588178fd381b8616491f4830aab4c0520d83b2bc02b4484ec8a484b11923ed0b
SHA512

4cdd6b57a79498a0304fd08f2ae347d34702de0cc53d00a8524c1f5494588c6290949c93f845698bdc40ac347f5285785410a413160c596714d07a5af884b03b
SSDEEP

24:NYLM+Or3GqJF1pVu/2uEwuwLwuwuqVwuzwmwYwYwYwYwQDbqqqqc:NfzjGqtfI2SB8Bt2F5bbbbsbqqqqc

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cursors\aero_ew_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_nwse_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_pin.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_up_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_busy_xl.ani	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_link_im.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_nwse_xl.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_move.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_pen_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_working.ani	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_ns_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_link.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_ns_xl.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_nwse.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_up.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_nesw_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_busy.ani	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_arrow_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_ew_xl.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_link_i.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_person_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_pin_xl.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_helpsel.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_pen_xl.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_person_xl.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_pin_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_arrow.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_helpsel_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_link_xl.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_move_xl.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_unavail.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_unavail_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_arrow_xl.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_ew.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_nesw.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_nesw_xl.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_ns.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_person.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_up_xl.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_busy_l.ani	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_helpsel_xl.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_link_il.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_link_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_move_l.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_pen.cur	rundll32.exe
File opened for modification	C:\Windows\Cursors\aero_unavail_xl.cur	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 5 IoCs

evasion

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\UserPreferencesMask = 9e1e078012000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Cursors	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Cursors\ = "Windows Default"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Cursors\Scheme Source = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Cursors\Hand = "%USERPROFILE%\\Downloads\\GTA 5 Web Cursor.cur"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133504232455273076"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15301#immutable1 = "Manage your RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).left = "250"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "2"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-103#immutable1 = "Customize your keyboard settings, such as the cursor blink rate and the character repeat rate."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5600310000000000874fdc491000437572736f727300400009000400efbe874fdb49874fdc492e000000da070000000001000000000000000000000000000000d69cd80043007500720073006f0072007300000016000000	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-2#immutable1 = "Keep a history of your files"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 56003100000000008f571a51100057696e646f777300400009000400efbe874f77483658a3962e00000000060000000001000000000000000000000000000000c6a62c00570069006e0064006f0077007300000016000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3001#immutable1 = "Sync files between your computer and network folders"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption."	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-1#immutable1 = "Network and Sharing Center"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-159#immutable1 = "Programs and Features"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\FFlags = "18874385"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-10#immutable1 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MaxPos1280x720x96(1).x = "4294967295"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-1#immutable1 = "Default Programs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-101#immutable1 = "Customize your mouse settings, such as the button configuration, double-click speed, mouse pointers, and motion speed."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-3#immutable1 = "Region"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-2#immutable1 = "Customize settings for the display of languages, numbers, times, and dates."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound"	explorer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1648	explorer.exe
1648	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2324	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1648	explorer.exe
Token: SeCreatePagefilePrivilege	1648	explorer.exe
Token: SeShutdownPrivilege	1648	explorer.exe
Token: SeCreatePagefilePrivilege	1648	explorer.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1648	explorer.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
1648	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2324	rundll32.exe
2324	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2324	1648	explorer.exe	104
PID 1648 wrote to memory of 2324	1648	explorer.exe	104
PID 3368 wrote to memory of 440	3368	chrome.exe	107
PID 3368 wrote to memory of 440	3368	chrome.exe	107
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1008	3368	chrome.exe	108
PID 3368 wrote to memory of 1524	3368	chrome.exe	109
PID 3368 wrote to memory of 1524	3368	chrome.exe	109
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110
PID 3368 wrote to memory of 1876	3368	chrome.exe	110

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\GTA 5 Web Cursor.cur"
1⤵
PID:4824

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\main.cpl
  2⤵
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2324

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe5a219758,0x7ffe5a219768,0x7ffe5a219778
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:2
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:8
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4684 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3808 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4932 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5168 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5268 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3876 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:1
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5748 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:1
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1732 --field-trial-handle=1864,i,8224625945841582498,3070319243005231694,131072 /prefetch:8
  2⤵
  PID:2596

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4344

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
f6d3ced11778f2196b185bddfd18d080

SHA1
e9946b1f09bb474901909f9f518609548e17d992

SHA256
f887fd2245f47f792b73216f7fe249fd3821dfe33a7109dbbfba4f2bf9cc696f

SHA512
3952031d3694fdf3703d5f8712cf7af00859302af812ce6b63022b0e6b1b21cd627a4fdd50deed1de3c6f2ba627175e4f9e7d56bf6d38314c3dc84bfb9430d37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
7917d63360c0a774e7a5cffc2eaed654

SHA1
39f19d4e59259dbf14cf410411f20da03ae6e36d

SHA256
2ea1c8f1213379af0ccd8178fdaa6900601a6d7ce28bf1e2745691c989e0f2e9

SHA512
889a47c84e7ed85a4075aa3fb86712f4de8bf165f2bdb51e6622f9cda95babfec09397948f002143add374e7b06abc3d15aaa0b1e92f4b35dc2db8748dd7444a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
84e9fee318e496cf2217e679d5ddc7e6

SHA1
a6149027488ca891908b6edc4b20270588776530

SHA256
73fdff37014bddf33d43294e664fe47617ba2c0f5463d25a92f483b43f017842

SHA512
94c2845d27a1552a9ba00c1547541101b39e71ccffb511db096c75af404e1134af3764f01125d805cbbab8c722dba9ec6f14936f46284f442cceddb094f24c03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
eec181306d46b43d8f75a240d6df3c20

SHA1
96d3565bd0dc86bd14e667edf41a674ba9bca648

SHA256
095804b43ae42882c1cdfdc7b3fad5e7f48182861a380fb7b81c7991d573cff5

SHA512
a4404c03a24904b17ede8caee1bfc57dd1cdef135486a6bdab2e8eec09c5322124bbcdee692aa648232c5d16d88497f6f39d547bd75ca7271e9ba7618f776535

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
19726499d105b47c7957e139a24c49a5

SHA1
380982c955936b5a060eb5be46768357a46b5324

SHA256
e5ec81ded50f118cee943f6106d7b325f5c7933ee21667ccea69daca4f73661f

SHA512
6bc9a98c8a9fbf94d7384ef1184df3780645a34c797c9371431c74a09964388d41184c71feff21d400564d5c3eb3aeaf9292b339b492c7df59fd7623675f2c9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
6a7b53c8daf1a3a56e1edf0a57c9d122

SHA1
d85503cc877aa3d7509671b85bb757e4c6134af1

SHA256
d8b588ae9299aee783fb5a16384ec0479a63c67d45b1a3ae35f8db9a2d757572

SHA512
812220e6c3d8883bb18c01924c86c0cbb11b155fbb9c89fcf63c946175aefefe21487274e63276e766344b381069f9f71790deb45adb5b210a6081b964c5eb01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
580030c1e7277b7e89fe749246185a52

SHA1
f2ff609c6270a2a418acdf68cce4bea98a55346b

SHA256
230648c6efd32fc88ff2b8f1de80da9c437454ce2db281ad87b9b11b75b9d1f5

SHA512
5e268f08787e740be6fda745b2a13dd3ae143ee2d8c2c818d0e4181e0a99a90741bbb14aab94c796380367f8a8fafacc50a07f31f06372d8faaec0d32d9dc633

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b0988fa48780f17f6e178101dd31fdaf

SHA1
d0914db46175b2f86acc2e68f89b064a1121c638

SHA256
cc3c2397646b80e9d2818c6aa5d52ecb406e2ab51382a2cb68084bd88c6e790d

SHA512
e160b0fadce1eaadb5767716f135631e71128f69f321901b35a81e82ea6d5145d9738044b5ab51e19cc9097b9c0ed188f3d6a5367199a2461574df0da2fd5635

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
273a0f688a51a7908e7605e4f3487192

SHA1
cde30b9dbe0b0b7d4217b0b7f7019bc2e9e4c08a

SHA256
c3615dbcc9ffff420ce3900e2ada9cf8c8ecfb696a358794b820d69131e02f0f

SHA512
ef9c30aaa9ccd21cdd6e6d8cb77a4d1d5c55e924b882b54d76f871070a404c78694e4f47607ce3ff0266895161bf7517a12063f1c9e306789f897a9caea7b845

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
737a07f55a39d18a92beaeef1bc0c740

SHA1
3eac41ea0d55eeb2a108d6a905aae4c3b5b4ef77

SHA256
f27ff27855efabc8652a7e9d4a7cb2bc7c5da6f8e2e3af84df51f77e47abd8ae

SHA512
a37d57cba0b2d4207b86e4dff13d83ef5e1424ce29353fd5a877b447e489bd8d81f85b68d96075fb7bbed6fbbd3a13c1475d51a5bacc54526a25e3c75a1a9a70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
016b75cdc3da55c4669333ea9e1e2fa9

SHA1
4c45ddb6c65a2b9a9eadf5ec8ee26aa6050fb9b2

SHA256
db888ee8df0d97a55ed0553374d0fe6ee75438bac4363f60900b5c2812b487ef

SHA512
1d0b6b329a1d4b2d3c565bfd09121dd4e275eeb9dca5c4d2c869ceddb2eb582e2109cd8e130a4b202a569bcf4701b0a9a338a2115bec0578da4a5d371dd8919f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
5c732f38b7345f86bdcf72db920df43c

SHA1
f205842be4ebf60548281204867ec6120861dea4

SHA256
aa4e5f830b31f7abd05d139e1d3b03203f2c5b44508e44a6d16e3550cc953e3b

SHA512
ce08750d636971dbb6596701c277b271d08cc0e588430d31e245b36c61f1ef0133d2dfb8e9abf7d626fece17f8a927939a020513f9de32c32f9a28ecc98689a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe595857.TMP

Filesize
98KB

MD5
9dff336a195fc3c95b05eaa38eae6e1d

SHA1
e7b102e2386029b3c483c641f717b9240133247e

SHA256
aad8815e7da194116a2470359a06ed7daa13b53f8b15007e600bafe96fd59890

SHA512
b29d5c7e88ae773913d487133a138d158608dfcbdb9b6bf9d1be4e37fdb8e20642ae5f19cfa0f54c0b6d39fc7510fcddf9deabf25fe04bf8b7a02a8e09784bb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\GTA 5 Web Cursor.cur

Filesize
4KB

MD5
ff6de1c4f3bc8fec42883a51f23c9df7

SHA1
3297b0be81fa0cd2828412d625e5655b3c12b62d

SHA256
588178fd381b8616491f4830aab4c0520d83b2bc02b4484ec8a484b11923ed0b

SHA512
4cdd6b57a79498a0304fd08f2ae347d34702de0cc53d00a8524c1f5494588c6290949c93f845698bdc40ac347f5285785410a413160c596714d07a5af884b03b

Download Submit