hxxps://www[.]geeksforgeeks[.]org/how-to-control-pc-from-anywhere-using-python/

Analysis

max time kernel
98s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.geeksforgeeks.org/how-to-control-pc-from-anywhere-using-python/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E6CBAFE1-C29B-11EE-BF15-464D43A133DD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd76917334189000000000200000000001066000000010000200000002d27aad0c0c72b889a4ef2a55fe904b2a65796fb92dd9cc8ef3ab47757086706000000000e800000000200002000000043cf02b4b76bad135c6ec0711e6db046fc4409bfc49889a1d3bf804a2e743e7c20000000d56868b38ce26a1126717e03683c204ef46392a16d53e74727833435036d68fe40000000270995371e0059923e3ceae2b5c5b1a1ae98d4ceec684949896ac36e06113b762d548dd5698157bacc32295572f92bd6980c628584f06976822dfe042e9ff717	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd7691733418900000000020000000000106600000001000020000000dc460ed18fa9f3caf7cca3a8294e4d36c8d9365de3a3147008b75d3ea6a3ee10000000000e80000000020000200000003d66373778223422fdd93568c1f4823dc07b91a1cac9aaf9e83c51915455bdbe9000000044635e6b2b5eba63a8c421eef8262be19646b8ead65527433a2ea54e38893391cdd9208ccf868ecc3798534df953258d1ff9ac3f2c4d5deb7d53fca83e310917735fa2ccf47d492ee651ba13b03de66fcf50a8333e20e6ef63630267242cb9fcba03262b61e096dfa412f39248756b0f844f04da3dfb1f13795a427d71b356da8ce78ab1c3af4128bff90776ac59f90a4000000006b4c36b59e5823d4ef381a3367906be5c08a6014e73af71c326870435f0673125baf86fb33aed5891da446009fcdd3729d9280bc71db13087935a822b414f20	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413130403"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b08e60bca856da01	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2300	chrome.exe
2300	chrome.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeDebugPrivilege	2696	taskmgr.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1896	iexplore.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe
2696	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1896	iexplore.exe
1896	iexplore.exe
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1956	1896	iexplore.exe	28
PID 1896 wrote to memory of 1956	1896	iexplore.exe	28
PID 1896 wrote to memory of 1956	1896	iexplore.exe	28
PID 1896 wrote to memory of 1956	1896	iexplore.exe	28
PID 2300 wrote to memory of 3048	2300	chrome.exe	34
PID 2300 wrote to memory of 3048	2300	chrome.exe	34
PID 2300 wrote to memory of 3048	2300	chrome.exe	34
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 1688	2300	chrome.exe	36
PID 2300 wrote to memory of 2496	2300	chrome.exe	37
PID 2300 wrote to memory of 2496	2300	chrome.exe	37
PID 2300 wrote to memory of 2496	2300	chrome.exe	37
PID 2300 wrote to memory of 1616	2300	chrome.exe	38
PID 2300 wrote to memory of 1616	2300	chrome.exe	38
PID 2300 wrote to memory of 1616	2300	chrome.exe	38
PID 2300 wrote to memory of 1616	2300	chrome.exe	38
PID 2300 wrote to memory of 1616	2300	chrome.exe	38
PID 2300 wrote to memory of 1616	2300	chrome.exe	38
PID 2300 wrote to memory of 1616	2300	chrome.exe	38
PID 2300 wrote to memory of 1616	2300	chrome.exe	38
PID 2300 wrote to memory of 1616	2300	chrome.exe	38
PID 2300 wrote to memory of 1616	2300	chrome.exe	38
PID 2300 wrote to memory of 1616	2300	chrome.exe	38
PID 2300 wrote to memory of 1616	2300	chrome.exe	38
PID 2300 wrote to memory of 1616	2300	chrome.exe	38
PID 2300 wrote to memory of 1616	2300	chrome.exe	38
PID 2300 wrote to memory of 1616	2300	chrome.exe	38

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.geeksforgeeks.org/how-to-control-pc-from-anywhere-using-python/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5a19758,0x7fef5a19768,0x7fef5a19778
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1376,i,14235275128125935928,18173401693866749216,131072 /prefetch:2
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1376,i,14235275128125935928,18173401693866749216,131072 /prefetch:8
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1376,i,14235275128125935928,18173401693866749216,131072 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1376,i,14235275128125935928,18173401693866749216,131072 /prefetch:1
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2348 --field-trial-handle=1376,i,14235275128125935928,18173401693866749216,131072 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1364 --field-trial-handle=1376,i,14235275128125935928,18173401693866749216,131072 /prefetch:2
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2200 --field-trial-handle=1376,i,14235275128125935928,18173401693866749216,131072 /prefetch:1
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3544 --field-trial-handle=1376,i,14235275128125935928,18173401693866749216,131072 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3540 --field-trial-handle=1376,i,14235275128125935928,18173401693866749216,131072 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 --field-trial-handle=1376,i,14235275128125935928,18173401693866749216,131072 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2056 --field-trial-handle=1376,i,14235275128125935928,18173401693866749216,131072 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2536 --field-trial-handle=1376,i,14235275128125935928,18173401693866749216,131072 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 --field-trial-handle=1376,i,14235275128125935928,18173401693866749216,131072 /prefetch:8
  2⤵
  PID:2628

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:984

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db99b4b7c9916ec3427c5195c2d0a842

SHA1
29be4a8aa2e2bf78d09f1e84607593e39d583734

SHA256
2f8cc0c780b3f7ee3ea5cfc36da99ccec35bf13dca5613cfc0387c43e18dd02b

SHA512
c2da9069bae145c9bee205abbe19b2a99144db9e45b58406e55fe5d46447ce9f33724eb4fd90f9c54dcb838165bd2c3fe54418ba01565340ee30d1bdab9ec9f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc0f88dbd4afd99cb36f1d4c59947dae

SHA1
e5ec3e42fb00a3ea609c18bd3273999066ef2fe7

SHA256
b3b7836cf413959bcfaf86bf2a2ab16487b92800245be26d56ba25348bb7345d

SHA512
874b6928211867fda4252c50bfa2fa63393fa595a628290bfcf07781beb67fe1e4b2b7ec34f46e8af77a144545e1e0a0bae31ff049222be44b5250fdade42e31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4abf89bde030ca3c349cd2a8b24879d

SHA1
be0b9c0f16e2dc2f1b1c60cd65d87a4394703c12

SHA256
22b4544db3279bc0de5176e35e3b4eb55c703b19d65c5473d61a869d023b691b

SHA512
7987c378b078be7ff33548d0666ad49caa38d4e82a1291df82ee582c865dc10894f06d29c49a2c5d883a39c264a64399df94597404d705d59bef154c1505bc47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45e536645559ae22e85e7b62e152037f

SHA1
bde380df98c75f63d2b8f05ab36fc0ee240c51ed

SHA256
eba8af09068631fdf94f106106c1f504b518552e325580bc5c5185639d86623d

SHA512
6cc6e34746354283fe10e22e50575ee14d32760ac810868ec8e233c7f63e5dade8d6308e17aecb10db8f1a25bb4dfbcf63263f7318e26f9138416561e19f301b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c0a2548c37a102bb81d7d2fd46e26d56

SHA1
d0d30352b1bf6dd1738a87a6c9a5b335758573d7

SHA256
3ae1c18dd8db07a337705e6e4aec5e37e7cf75e239bfe60c33f8e6365f887570

SHA512
9f12dac667a4d4b47650a78c42312eb1505f14109dd813522686c5123a242bd1fca2d451377fdee7a9bca25e11f9ed9da64237ca9bf89b082a816e3c56734808

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4bfba19ad0fa964992e4a06d214fa21e

SHA1
d3b3be95a767f84f15dfc1dc45c63caf5c321699

SHA256
d285dfa676a934bf6ae8cc5203d7f718025d805d452736cf2c7a27ace399a2ae

SHA512
c669abb8775bd680602cf3f562c80761daba41aa127d96b8d081c09c4cbfba44a1e24f4b4af05728a0f116ceb6971a4f364cb39e6396da34bb8646b64eb902d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b04f3fbbe6ec9ee522db190686ade6b

SHA1
97dd0ab30a55481f5dcdcffaa695ca3688c3e409

SHA256
d17d3f3aa05a02aa02b43eb070cc8d6f238b784a9ca0a30ab35f2f21ad6436e4

SHA512
be846c874a10d18eb38d7ca2cd1a7b88ad6b5f848c14e7913d5ed27055b4a16f32a4958650f35f5c945a4b5dff929668fadf46f2febcbee2384eec5ce93ca120

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba08a344095fb9859556310f5d4dd4c2

SHA1
3debf351d10055d2d0f417200d07be3a57e5bedc

SHA256
ce78c39fa2fecad0b862337cd71935038f8261d80732e777c4e362b047597ad0

SHA512
c95f483154736486664b1cf3b9323941f040b6250d4ceb6c34e841cfd1b788ebde4ff61f97533762f5562b8bb44e1a5e0357bd3ad528cee8e3c4afd07324b66b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a6ccf3d9bdbcb28007bc78dc8200ea1

SHA1
ed15a94402dff3266b419eb353f407a9ae35cdb7

SHA256
0eb3648a796a171bad0b271a9b30a69a89ac3c153ea30f91f442605b902e139d

SHA512
938615cabbd27c1e4802936418cf3ec71c07c8c5bfb4aa55ceb925ec7f3308597860649c7ab700af8aaaa636299ed6b811e71465e7ce518248dc74c6e2788342

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56276272c88469a40f524f7dd0bb72e2

SHA1
3bce0aaad5ab8708d32b1ae340eea2bc3540cf31

SHA256
76f57a9f434f477a6ca5f75da75fe9c8cf9211c2690dea35492a9898d76f23c9

SHA512
ddcad117860b722db7a467a04f9cba2bf014942eae35e536e1c721c35e7e4575d74f745fcc118a0fc25671a61f60589dadfe53f3b573ee74176724ef3d940067

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b570a9b6d707f1e2a8753f7463121ef4

SHA1
360ad2c7b761a0edd2285e548f60d82068dc6c25

SHA256
f6bcf3bd1c33eed67005466fa27a93311b3999f341f39e10c3913f63dcadb446

SHA512
5ea72bb50bf130283312d026b4e4bccf6a121df14c6b406b39f41f4c2c3001d196a1c88d29ffeea5fcbe8f70f498a80986ccea056e8b5b996a6e9fe09f4512a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9aa0c1cc984b72709beb87cba9d68abb

SHA1
2e05dedf238d3c5f69e0543971ffc42bd6ade314

SHA256
4958a2ea5a1198fde3b81350808427dced5f7228419f6a8c6206b29674418338

SHA512
5428239ef6bc5a5711c156ddbb6732c46d887bf7fd2602a9ac751367312e3308daa177092c0617a58cb6fb885e40e0bf9dc296fee8963d355e293588b36aad2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ddf2d70bb019dbad7e40e5e53c6c90d

SHA1
5725e4e40ff7c9193a3f913001801c2c928d6b06

SHA256
bc790d0ff6ac8b9de6cecd4baeb6cb6ebd21fae4fe17715d30f0f3db151ef848

SHA512
b9536b35b922ec39079e57ffe29ee4a49e95da01e318cdc69102497709d6c39f4b3bfc64790ed39ec55f444b845be10a58c18d01ef3ac82fd1cf2ed351f45b70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a80431026a9b780fe008e05935fc5013

SHA1
85e758fddf7549124175e8d8258102a78d36ec64

SHA256
c78827b741cbf3ab9ad5b236b6f0e36ffb613fd735f7c0aa0e51f9d21b27c92b

SHA512
83a687640f852cb53afcb544e77939de4232bd37e55e2c6fb19048462a09930b63060ac50365889261eca5b91b56e182937496da7f58d88d527f2c84a243db87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
939f051fd997984d2a59bcea4dc4bf00

SHA1
5102567d747f3208c563df9f01e90c085c12ee13

SHA256
fa0ad11f9c4f1020f4af233bf9c12c59354f93dc5b8f31547f37ca2eeff49463

SHA512
c6f675c29a6cd1c62500839ad28410010d9031a766e063ecb5c42058d8803666cde2a8f3a26714d000eacd7160eb068c28ff5bc19a1325a52f68ffb642780248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f99468fba5e0e9c500da2c991989a29

SHA1
e8eb33c9de785f6648cae4ae585aa9a7242a994d

SHA256
4c78dbaac83b5e5c5e45ec586a368c25b4f89e5350ab39ef052b632ad102c16c

SHA512
4131abeb66bee7d44df682035b08ea20c0d5fb2aca0d12f24f0891064e0e2a7ecb59814467a804524bc171d043c70c609423e2a276e028b8a9450455c7df1166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6101623dd879059a924d263418e9c92

SHA1
c9ffb5f262d3177daf4163813df14500857e1d3e

SHA256
5491f43444a9c35a1025201d73d416968208cb79a10be02f3cfced8c34c66046

SHA512
0ee6c277557d29596eb9bb4da357044c572f469ebb7fe26d22403972c2ef9e1c3f60a1f6263d033487ee193bf574be0de80a867551980aba889d370da802405e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba12ac48d1aaade4d1e65ecc7c2221be

SHA1
0e193b22d80f462011afd8b9154fbf2c83e7ee1f

SHA256
eb792b8db183226c0ba6ecd1337684663cef3a3a672aa9f8fb876f29556ff39f

SHA512
511c811b6f010c710da0c8e16cc321db692a82c103b12e8612ce9271545c8189b21335a1c74da6fbeeb5af6eb8ba8492d5a53a2b60b6800c38ca36da80884018

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb4519006d442766c3dc670e583afdec

SHA1
309e90463c1db477fdc8ad336aef60b7bc622650

SHA256
e585618c0b13d70fdd8b2f6561c8af82345d7d418d2f310bbe37e7c845d23179

SHA512
23a6b7ea79c9fee9a5f5f6945e05941d83e00ef2bf601bf8de1bd5642435aaf2f03d1116ce4329ab456db8b41115670544f7a966d21fc824d823ee97d471ff42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
f52e968531ca989d61f952ef9cf93ff2

SHA1
5c6915f7a3f5592f0b2047aa90fa0b4f39258829

SHA256
9ad27db77803ab11570d119c809d1ec12691c5388b4a58aa5bf43f605f46b6b9

SHA512
a9433be9d56efc1ebaf06919ed49c779ebd59bd57659fbaa5a32456dd1608fab8c732a093cb944917e8c03e6ef10bff515d19d8ed8f43959ef135b625930ae45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
f14d0e219bf40830f616c83f1c08b007

SHA1
fb3c3bd8e33c2f9d0e0d54d3814b0b20dcb01a0a

SHA256
0fa840f1a723b29b596d5c9046ccfbe508cd87c78267599ff5a90150e16754a2

SHA512
c71b87cba61a4094cc8218b1826cfe1bc6f1f5ccc2804c557fb41d543e43d73b626d87e72f6c7f11988886c8682c0f9f7fc9859dd1821e228041b9a224894b63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c732f83893a4cdede21dc051563102b1

SHA1
74a37b435336ca9f27058de9b8ee898343cc9661

SHA256
ac2b621b62a24b3f1ee34ad4ba78d22e704a79100aa0372201653dc796c80fa9

SHA512
9926d68559f0f68540d00f26842931506a1a0debff61fba9c624591ba2fe58c2c69d17a542c29cde84c2b53d6ec9df7f41e805a425b15396b314d174d0bc21e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab654B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar65DB.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF78EDAD2B84790646.TMP

Filesize
16KB

MD5
352a1d7b28036c3cb65c2cda9423d137

SHA1
eee4c84829a5ed019961d25e0b5a032863652cd6

SHA256
0399b6279ba766543f96f2336ff01567e4f1c062f9395d3f1bbcc9d3c4fa0ebe

SHA512
c0f2552207dae7a4052e7ab798d2e569bd0b887b1afac02c75ca5af90df83e7c4511d9a8f25504093b06e01e17911eb9a8892c043c336096e833c5fcb7c70787

Download Submit
memory/2696-942-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2696-941-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download