hxxps://xx[.]oxcg8[.]ru[.]com/[.]xn/drive/onedrive/safe/index[.]php

Analysis

max time kernel
107s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://xx.oxcg8.ru.com/.xn/drive/onedrive/safe/index.php

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133561949214722358"	chrome.exe

Modifies registry class 34 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2516 chrome.exe
2516 chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

chrome.exe

pid	process
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

chrome.exe

pid process

4480 chrome.exe

pid	process
4480	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2516 wrote to memory of 1948	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 1948	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4012	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4976	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4976	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 4788	2516	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://xx.oxcg8.ru.com/.xn/drive/onedrive/safe/index.php
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd70499758,0x7ffd70499768,0x7ffd70499778
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:2
2⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:8
2⤵
PID:4976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:8
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3720 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:8
2⤵
PID:3204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:8
2⤵
PID:3216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4584 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5092 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4908 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:3728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4968 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:3084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3004 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:3936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:8
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5620 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:3924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4584 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:4228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2196 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:1344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1688 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5400 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5228 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4584 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5408 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5636 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4124 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=824 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:8
2⤵
PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:8
2⤵
PID:764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=3000 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5852 --field-trial-handle=1880,i,14923797538653432573,9569317177957203055,131072 /prefetch:1
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003
Filesize
2.5MB

MD5
debce57afb548824d4d906ce392c3800

SHA1
b7268cbf8fa4e33dad4a65f8aa7b29891344d3ac

SHA256
125286a40a489bcf4a52f9ca59f20553249ea8b35a0edcdb144a9084355a05f3

SHA512
1cbf0415e94a3ffcee5e45d72e945a7766b41f0b9e9fe1c600f693f9c2931933b6837d333f20d2d43d8080c97e065298cf4500289162a359f75fda8c4e8352af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
a36b00b7f66d24bf4ba03224ff35f453

SHA1
807430527c1ba60f0152e922286bbf268073b59e

SHA256
f27c23a2fd930717e019189aa577bc0b90ee380d3aae57b8a720de4d0b75cf92

SHA512
faf95bba234f64d3cbd81d83505f08104e74a76f2d948aaa0b047f58bca7f0259d1102a370cce48b3c9a30b96d4700ca83e4e1af0b0176e719d1d06ebe005d7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
538B

MD5
8450d4244717e8a0d0fb94acf7f7e8eb

SHA1
3d9f0999783e9ca596afc8a183cc881d4fc2db18

SHA256
e9b69add4004534252a14503a18c4856c2140b6720b1e4e769bb85d30111c8f2

SHA512
90661506425454889e1e7ea0823096479926c9f9518fa47ba89bf1a5f33bd12d5268f3e446bcddc7d7fd65870f63f8ae9ba91857a75a2a97109cd27dc5c9d874

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
538B

MD5
93e841a82e935f0800b1cd5b11b8a496

SHA1
4cf17ced5de5b90a05d4ef3ba5bff1fbc8d7ae67

SHA256
4a77bf8d124ee6799e26b5ae4c5b6ffc7fcde48909690fa51a809779a2068fc3

SHA512
85accd7f6ec997e23f85757a5bb1c7cfb04f4a8dd6737481a6feaa06f8808db4d743a90fa1ab94a2515a62bf2d183ec2af2ae0b2feda4becf09995e18c5e3a6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
538B

MD5
8007ca9725d855433bfbccea44fc3ee9

SHA1
89026089761105060c584e65d88c7984c74d8999

SHA256
d829c7393fd9dc2674f95f1e61910d92e531b28cc06d0e8e11041e316fef12bc

SHA512
9a5bd6b4a40df4b4db93cb96f056e87c5b01374ea589f80cc10c9742598c1efe80ec27b929298c832a5f17d01cf655e6577b9c9c4796f6b94d4100e89f57e04a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
dc3e206b0202df0ecbe7ea79e7bb45a7

SHA1
d24e437fe12e7f40157ca09f0529b53a4a669967

SHA256
442fefb515e611c2954d0e49754d3c2184c4a3747064d421e35ec84ddc9ff066

SHA512
d75b2b7b884e49c038e5dca57d3509653cf79855b266b08a4737bf12034c5d4b9eec3ff26ff0c8d204bf81356117f825bd24d911d5fd45049e85de11fc280aba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d6a759abed8bddc339a2d323137f6ccd

SHA1
e55a9a7a2c8e473cc87e897a243ee56f4379eb2c

SHA256
aabbffc2bf5421738f7a783465b1e04a19972c013a51fa7835149bd30f7bde67

SHA512
b6c4f7060fcb24f9fd2b296ff1389210e1726e866a304cf3b74dd6e1cd29b49f06b3ae4b8b06f6e2530e88b1050478eb16800cc7c8d1b60f0c794f53a3413836

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
b8ecb530cd2f3a607dbc98ff47bb9cac

SHA1
e208aeea1208d2d1e3c68ba15dfae746a8a2b0ff

SHA256
4e46a9d273e9e7114e7807584fc9f6b50d8db68d2f544264dd21fa679e07f208

SHA512
05bf84db7485e24ff01e502ddc20ecd22463b5b85964dbc61ec898c80cbecd5517c8961d616d1db35e11208de961ad8477e079dcf2f94dcbacb9bfbde0d0d62f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c5d194ecf9338701c99882ee9101f73a

SHA1
d92babcbd82d763e41acaf6c4bfee725b4ef281f

SHA256
5e6c022df569472199eb73169dfefe8447f029276ee597ef7d5e0c45681c09a0

SHA512
4da56df022dc5240ff8e44f2bd9b56f63e434a9756d1744e56a84a43330f51bcdc55a45da11c195b7a50a0af43b00eca12296d414d8d25adbf1b1006dcbb97f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
121733ac5948a3232dc6f5b5a88e9afe

SHA1
db7f392fb1893536226064b25705b266f71db506

SHA256
064613ce5e50b60e109605c720ed65e70323df52b8f6cb1e5b4e201070a8a8f7

SHA512
084b1e3710a0ee96aacf61b6750b77570f7398ad113b5482ed212c405788cec4668bc84773e615a9bcdda8e13e877ca59c18b6e9c6122c9ba3ecda9907dd0215

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
0e4a0f0cae9ec1ffc92722b698bf0d47

SHA1
84ade6f2f851a8fc36c3b1c79de12a18b5a0cf44

SHA256
252e3d4e4db00f927f37bc5894e29e8c18d39e8cee5bf4838605c1564d89c577

SHA512
64afe413ca0ae9ec460a440d42c4a0456842e49bafbbc84f171e0b2a07a410e0fea5616b4af9f648306b65f9f77655036c0de9cbf28c71962235225b166c20f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
b18ffbf2755c2aa22d76c3ded17db137

SHA1
de8c4dc69f8580c1e4727675bc82ae1b691992f6

SHA256
f79f733ce244257d810591025cd583d451bd8a0f6890f8fad48b8eb4ef677789

SHA512
e5a6536febfd6dcfc1ad4e706c8fe447e76e9694bd8db574f7c4edd48628cd63f205795187777057881e687d07ba0c7ebf3268959cf77b5edbc25021af4cbe11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
103KB

MD5
68c2d8f8ccdf1d0170b2d7b2cc2658a3

SHA1
132aa7faa08aef54a1bb486b80a1661803aa5e97

SHA256
e8d60b879b32f8b63975b0d1ab03f25bd3f558586707a4d91743b3e7f60ce8dd

SHA512
a8704ef7ce6a65d49ad362d7002c74acaca3e0ed96739110a5122385f12a03479fc41728e1654e89bfde4b5d986d821174843cdf1d50f75b5a6ab310c793d26c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58026c.TMP
Filesize
97KB

MD5
dfe4916e1482a67ddf5ea4ef7d354e05

SHA1
bc7a1905f20e8013b69b409410f5588d0af75df2

SHA256
ffac69669f6e09717092fc71f929c8973db65c5f44ae458ba3c48bbc4e65be6b

SHA512
41daa3c7212118860fbc8d004e637e7a7b60b927b5a9b991b9c778c1fb068b1495f1f89e4a95be8eb2034d9ad7c574831a987f2e11d73b8449bde4e752069311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_2516_YZYSUBANOGQTWNDV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit