hxxps://gofile[.]io/d/CAPSza

General

Target

https://gofile.io/d/CAPSza

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608951560891825"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4612 chrome.exe
4612 chrome.exe
1100 chrome.exe
1100 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4612 chrome.exe
4612 chrome.exe
4612 chrome.exe
4612 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4612 wrote to memory of 4832	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 4832	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 2024	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 1940	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 1940	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe
PID 4612 wrote to memory of 3380	4612	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/CAPSza
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff89584ab58,0x7ff89584ab68,0x7ff89584ab78
2⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1860,i,14382445746613632776,10546649538851184856,131072 /prefetch:2
2⤵
PID:2024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1860,i,14382445746613632776,10546649538851184856,131072 /prefetch:8
2⤵
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1860,i,14382445746613632776,10546649538851184856,131072 /prefetch:8
2⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1860,i,14382445746613632776,10546649538851184856,131072 /prefetch:1
2⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1860,i,14382445746613632776,10546649538851184856,131072 /prefetch:1
2⤵
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4316 --field-trial-handle=1860,i,14382445746613632776,10546649538851184856,131072 /prefetch:1
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4208 --field-trial-handle=1860,i,14382445746613632776,10546649538851184856,131072 /prefetch:1
2⤵
PID:1004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1860,i,14382445746613632776,10546649538851184856,131072 /prefetch:8
2⤵
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1860,i,14382445746613632776,10546649538851184856,131072 /prefetch:8
2⤵
PID:2832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1860,i,14382445746613632776,10546649538851184856,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
a78a977cb2be8926f9373bdc33e7f8b1

SHA1
1ea1f31b6721ea7874c56e7f5502db79e9096791

SHA256
a2d4348f130c1dd2ee43d5aaa219fbecfec4d3200875829ed6b5132b6b0db088

SHA512
36ecd1a5818808f07f0b489cb96167adabca6cf3af0bc040645d11672469c1e7d3ef0ae697a1622748dca3060f23b0b96db82b34ae62cec3a1021824e045b183

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
872accdb886b5a2d1e932c126e627f09

SHA1
ecf4ca04cea91d9594eaac289f1390d767e6f8b1

SHA256
1e86860cd10b593a31ef5541deeeabc4257d6ec2ff957b09120047a0814d38eb

SHA512
fa375220fa3da1e6b2d12fc089c9b7274d5b601bfbe2286bb4fd8a78e2fdbc00442d52f9784a8eab04050f5926de41cd0c717c50019c8c20faf6b4b1f4dd8edf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
858B

MD5
2377c1a3f6480f7bd691265341cd5363

SHA1
dee5050952ce21f97edaf925fe3e9ee7fc4ec28c

SHA256
ee25b6c4bfe39f5269d66fd347dea61bcca56d2cd6eb9944501b8258245c4a96

SHA512
39648310135b4b7013fe544887bf3cc8f7363a762192b0acb86c261c32c27bbf39f1797202b92a2c3dca705fc6043ba545371fe055635674004f91d11ffddf80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ce39af5d6b8d1bc03120af2957357e6f

SHA1
4387239871914f41eeeb7f6ff15d16d719929af8

SHA256
74c54b6d00d00b0ae600fe98908387d445708f328762c250fe820a92659420e7

SHA512
e022c677f3cdc660c9fe4745ebd519be4ceb06a8c28af3ad9085ae5e6b292a14bfe7a54cd8edf4196c7a215f2ea15c9a1906ac2a40f7797ce6d93caaf60b79b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
e010958cc54e992da123b9c09ce5fe63

SHA1
870668af3dfbc0d0b74e585e493d4231a66d0368

SHA256
31a6d1ba918d31306cc23e39da92f383ac5363030c723395a72057c5328e7cf0

SHA512
2f11229a23fddd98a9d8f6e8b0d48e102bd031d0a306935888e0d296988c11b254343eb52526c8dd541472f443fe895ba6d294927b69defbc485e15e9a7c8aa3

Download Submit
\??\pipe\crashpad_4612_NBOCGHJDTJZIAUSZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads