e03518acef8a2fecee311fac04e11943e8b219815f02224a4ae30d5ecccf0f90

Analysis

max time kernel
292s
max time network
298s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crypted.exe
Size

519KB
MD5

1b1c7e6e96667a6a758b22d444de57a7
SHA1

3eafd122d0814ee5aeb35a9bce975805a8cf6744
SHA256

e03518acef8a2fecee311fac04e11943e8b219815f02224a4ae30d5ecccf0f90
SHA512

2ed665526ec20b8c3d8a6854e25bcf44755e4bfd8f34b3770c3694e4b9cd8b2ad85d130830cb298aa18521f30038ef47e5d93225a5eb14039670f5ef626f91f7
SSDEEP

12288:ar9mi27cWO4AEcI9cCHEAJtv9QXmuP16k:6mfemcCflO1

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1184	1720	WerFault.exe	28

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9B16AA21-1BAE-11EF-ACD5-4635F953E0C8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1968	chrome.exe
1968	chrome.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1364	iexplore.exe
1364	iexplore.exe
1364	iexplore.exe
1364	iexplore.exe
2724	IEXPLORE.EXE
2724	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1184	1720	crypted.exe	29
PID 1720 wrote to memory of 1184	1720	crypted.exe	29
PID 1720 wrote to memory of 1184	1720	crypted.exe	29
PID 1720 wrote to memory of 1184	1720	crypted.exe	29
PID 2456 wrote to memory of 2756	2456	wmplayer.exe	35
PID 2456 wrote to memory of 2756	2456	wmplayer.exe	35
PID 2456 wrote to memory of 2756	2456	wmplayer.exe	35
PID 2456 wrote to memory of 2756	2456	wmplayer.exe	35
PID 2456 wrote to memory of 2756	2456	wmplayer.exe	35
PID 2456 wrote to memory of 2756	2456	wmplayer.exe	35
PID 2456 wrote to memory of 2756	2456	wmplayer.exe	35
PID 2784 wrote to memory of 2192	2784	wmplayer.exe	37
PID 2784 wrote to memory of 2192	2784	wmplayer.exe	37
PID 2784 wrote to memory of 2192	2784	wmplayer.exe	37
PID 2784 wrote to memory of 2192	2784	wmplayer.exe	37
PID 2784 wrote to memory of 2192	2784	wmplayer.exe	37
PID 2784 wrote to memory of 2192	2784	wmplayer.exe	37
PID 2784 wrote to memory of 2192	2784	wmplayer.exe	37
PID 1968 wrote to memory of 328	1968	chrome.exe	40
PID 1968 wrote to memory of 328	1968	chrome.exe	40
PID 1968 wrote to memory of 328	1968	chrome.exe	40
PID 1440 wrote to memory of 1500	1440	chrome.exe	42
PID 1440 wrote to memory of 1500	1440	chrome.exe	42
PID 1440 wrote to memory of 1500	1440	chrome.exe	42
PID 2240 wrote to memory of 696	2240	chrome.exe	45
PID 2240 wrote to memory of 696	2240	chrome.exe	45
PID 2240 wrote to memory of 696	2240	chrome.exe	45
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46
PID 1968 wrote to memory of 1868	1968	chrome.exe	46

C:\Users\Admin\AppData\Local\Temp\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\crypted.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 72
  2⤵
  - Program crash
  PID:1184

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2532

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:2756

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6649758,0x7fef6649768,0x7fef6649778
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1568,i,7338016496205138792,5026626973381700810,131072 /prefetch:2
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1380 --field-trial-handle=1568,i,7338016496205138792,5026626973381700810,131072 /prefetch:8
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1464 --field-trial-handle=1568,i,7338016496205138792,5026626973381700810,131072 /prefetch:8
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2088 --field-trial-handle=1568,i,7338016496205138792,5026626973381700810,131072 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2140 --field-trial-handle=1568,i,7338016496205138792,5026626973381700810,131072 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3316 --field-trial-handle=1568,i,7338016496205138792,5026626973381700810,131072 /prefetch:2
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3312 --field-trial-handle=1568,i,7338016496205138792,5026626973381700810,131072 /prefetch:2
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1936 --field-trial-handle=1568,i,7338016496205138792,5026626973381700810,131072 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3504 --field-trial-handle=1568,i,7338016496205138792,5026626973381700810,131072 /prefetch:8
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3620 --field-trial-handle=1568,i,7338016496205138792,5026626973381700810,131072 /prefetch:8
  2⤵
  PID:832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6649758,0x7fef6649768,0x7fef6649778
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1436,i,12214937066404968985,18084536896400236982,131072 /prefetch:2
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1388 --field-trial-handle=1436,i,12214937066404968985,18084536896400236982,131072 /prefetch:8
  2⤵
  PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6649758,0x7fef6649768,0x7fef6649778
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1288,i,3742164435834143947,7341698285054257685,131072 /prefetch:2
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1468 --field-trial-handle=1288,i,3742164435834143947,7341698285054257685,131072 /prefetch:8
  2⤵
  PID:3016

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1364
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1364 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2724
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1364 CREDAT:5518337 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2112

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3060

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
395410ec69cf6e9afcf48dbe162a3c2e

SHA1
8bf7228a041402db3f36e10648444a33ccd6b61f

SHA256
ca9fb131db0e35882ba461f9b68ccb6c444c9a5d4fea0639c203b496588eff3e

SHA512
d802374a0ed824013898854957c6d8c7d1eaa733e71b96fc5a3d0b4362608409cfd42dde240f589e3950a6bd56322daa34802edbd3ffccc2fdeb560f307682df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9792fcb8bd493fd15d01e24cf445b4b4

SHA1
a039e78e32d61bd687981d69cfc14f1bd754a659

SHA256
b662eacac22dd4f5dc0af856d57a5b1e1a485c2b8e3f3284a619c057f526fefe

SHA512
1a58cd05bd0ede42326b82eba86dabf94228cd210d743327be6cb124205eae2e33b31fb00a39adb128143b8b974abad5f1fa56e77b68c2392fadb603df52abb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22e4584419ad1aabaedd720477bb8b3b

SHA1
facf141446940ee354f4f9b4365b51f7a023504a

SHA256
b60197fee948995ed40de5cae29bcd063320e530ec34f76234b115fe6e229d71

SHA512
3753b8a76675b5050544d8e52021471fc405031c67569599ff1a6d8662b10b0a3b6daa5de6fb630c95217fb1ec34070ab95538afbec757667d56d4baf78d3bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c931539e8d98ec661de7381f8ce279e

SHA1
2cfd16e0eed068ddde095a48d7f0d1eb3bb2c5d0

SHA256
528735033f87f5588bd60d5a457d3706a14abb89bc5acebbd1f9d256597b607f

SHA512
fb598d9d25aef0574e1175945062b22be065eafc29053b69f3dddd9846649e742b207e02d36d3acb773d3d6d5c7d5ec174b96471f1f85d9c1733d0f00280c4b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
739c6b68fcc26e765560aaaff92977ac

SHA1
173992f72a1fdbafb8ee2dc56210a4362225e45a

SHA256
e65b660ab1a0c6d534a12a3bd119923c0d4b9b804344603ccb16e7d93a3630da

SHA512
de7149b9ce04f2b1a7866332df1408cb1b3f39969daf2236ed18e6587af03c8d2ddad3ea5b16ee8523f77c4d128176700bc7b64b8807b6c0ddb0f508f33c48d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
64f944be201c7609178099742483d3b3

SHA1
d33688189c935065386e95a79d726477eab76d64

SHA256
14661c4b06932dbc0186e38722f573d1b937472a6edf7c44d3a9a5a1d394855c

SHA512
e206b3699a2318f684d7154ee79f7c7bbb3bb89c840f8af474398b39aee738da15a42abd15ed83e620a3de170b9b180dd0ca101de80bb14460a3e86e0f04222b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
886f26b08ddb7f21f7f57b664e803f91

SHA1
41a09b9244841e2a14ad909e8b5623a934295c55

SHA256
e96c93583f01dbe77a54ef5806adf6212fa5012b372cae501af3645bba4db180

SHA512
0d9ee2ff50d1aca7db8ebc8debf4bc6c03763c56be5ca1e30fb5d0f15679124604db71628c8ceb10bf8e756d8c05adf26b863f449879bad82fe971deeeee0f9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bdb1dbf66e4f7c79176258b700a9803f

SHA1
31b0fe1ae84d2eb1d33bc3d99a139b01bc7e0df0

SHA256
0968f8d7a03112c54a62df4845fcb1b18587d8e9bca258d22c0e02e1163a7251

SHA512
8bcd2adac4d467a2090c187e77a48c3cabf1be9b1464a7001a5160239aab017300aee145d9b46d0b6d283238cba5e8ccdb2a9d2105dab07ccc0f76994a64e2d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
46e3ba67bbef10dd2628fc642e83c68f

SHA1
7e107ccbde8bd30d4c684c7ec69bc7b9d3215282

SHA256
de596cd9321d7f71ad4a1b4e2a602d19d94c1f2c9558edb5154bbfab2e53c88e

SHA512
2b0ca5d393ecb92863dedaae7186820c338e4ceb0c1811fcc362a2fb2be4635dc815e657af5fc1d3b7a1e10beb711db581f49861e19f20081e575c3b449be33c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4c65031d-fc40-43b3-9715-0351690ce48d.tmp

Filesize
140KB

MD5
2dd3dc9a22d62031638bc1bdd99c6fd4

SHA1
effa2c31b26a44d3bc485ae10a2062e433001ae3

SHA256
12cd644efc08d9317e164a946f873728d5a378198b5d7ae1297c07ed55528c0c

SHA512
e7ba9047ddbd19bcfc0e14844515c99bf44134ab29e07b1166d29131175250534af0b2503fbb18118f0e29ea2e77b0b495fea0277d025e27605dfd2a5ebf07fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
72c8c104a995be18d4523fc3a415c4c7

SHA1
2941caf4bcee7a327b91a6ed0279dd6dc2c92289

SHA256
a95637c551113d259419ed408b7a2f6166c7d2965c915494fbaafd5ffcb31e73

SHA512
9fe1c427a5e164d370929d2ef332ceabc2802395fa537525655dd2c97f02c38b1d087736f59675fb155d517bbab34c1e98f93a126ab29f1efe581c9123475baa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
16b7586b9eba5296ea04b791fc3d675e

SHA1
8890767dd7eb4d1beab829324ba8b9599051f0b0

SHA256
474d668707f1cb929fef1e3798b71b632e50675bd1a9dceaab90c9587f72f680

SHA512
58668d0c28b63548a1f13d2c2dfa19bcc14c0b7406833ad8e72dfc07f46d8df6ded46265d74a042d07fbc88f78a59cb32389ef384ec78a55976dfc2737868771

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
8549c255650427d618ef18b14dfd2b56

SHA1
8272585186777b344db3960df62b00f570d247f6

SHA256
40395d9ca4b65d48deac792844a77d4f8051f1cef30df561dacfeeed3c3bae13

SHA512
e5bb8a0ad338372635c3629e306604e3dc5a5c26fb5547a3dd7e404e5261630612c07326e7ebf5b47abafade8e555965a1a59a1eecfc496dcdd5003048898a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
265db1c9337422f9af69ef2b4e1c7205

SHA1
3e38976bb5cf035c75c9bc185f72a80e70f41c2e

SHA256
7ca5a3ccc077698ca62ac8157676814b3d8e93586364d0318987e37b4f8590bc

SHA512
3cc9b76d8d4b6edb4c41677be3483ac37785f3bbfea4489f3855433ebf84ea25fc48efee9b74cab268dc9cb7fb4789a81c94e75c7bf723721de28aef53d8b529

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f38c8070-fa18-47dc-b5e7-3cfa52ab40e1.tmp

Filesize
140KB

MD5
8a51289f1eb9e8c39c209314553b7ff6

SHA1
1f2b8dc670016ae90f7a98d6361612d4bde0661c

SHA256
3c6900b599288f876ee65f6659376b5946e03fb0b1c10fe46dd9d8804e953321

SHA512
329550811e11e991c561e121dd25f10ab944283b1fefe1950f1f774aec8fcb4ebc7c5736b75e3bc9a4877654aa620ac846b04fb34705a006d077058c6a557cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9F9A.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9FFD.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85941.WMC\allservices.xml

Filesize
546B

MD5
df03e65b8e082f24dab09c57bc9c6241

SHA1
6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

SHA256
155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

SHA512
ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp87267.WMC\serviceinfo.xml

Filesize
523B

MD5
d58da90d6dc51f97cb84dfbffe2b2300

SHA1
5f86b06b992a3146cb698a99932ead57a5ec4666

SHA256
93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

SHA512
7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

Download Submit
memory/1720-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1720-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2612-131-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2612-132-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download