gcleaner | hxxp://5[.]42[.]65[.]64

Resubmissions

17/06/2024, 23:28

240617-3gbe5syekf 8

13/06/2024, 21:40

240613-1jl9ba1dmh 10

13/06/2024, 21:29

240613-1bx1va1amd 8

10/06/2024, 22:28

240610-2d5ddatejn 10

Analysis

max time kernel
1199s
max time network
1171s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://5.42.65.64

Score

10^/10

gcleaner lumma loader stealer

Malware Config

Extracted

Family

gcleaner

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Extracted

Family

lumma

https://whispedwoodmoodsksl.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	inte.exe

Executes dropped EXE 4 IoCs

pid	Process
3604	2ONE.exe
3544	2ONE.exe
1436	EU.exe
1564	inte.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
460	1436	WerFault.exe	107
880	1564	WerFault.exe	119
3808	1564	WerFault.exe	119
3160	1564	WerFault.exe	119
4896	1564	WerFault.exe	119
2392	1564	WerFault.exe	119
1488	1564	WerFault.exe	119
1076	1564	WerFault.exe	119
1452	1564	WerFault.exe	119
4652	1564	WerFault.exe	119

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
224	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2ONE.exe = "11000"	2ONE.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	2ONE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2ONE.exe = "11000"	2ONE.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	2ONE.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133627884642873031"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3520	chrome.exe
3520	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3520	chrome.exe
3520	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3604	2ONE.exe
3604	2ONE.exe
3604	2ONE.exe
3544	2ONE.exe
3544	2ONE.exe
3544	2ONE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 4008	3520	chrome.exe	82
PID 3520 wrote to memory of 4008	3520	chrome.exe	82
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 1480	3520	chrome.exe	84
PID 3520 wrote to memory of 4424	3520	chrome.exe	85
PID 3520 wrote to memory of 4424	3520	chrome.exe	85
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86
PID 3520 wrote to memory of 4700	3520	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://5.42.65.64
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaafeeab58,0x7ffaafeeab68,0x7ffaafeeab78
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:2
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2844 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2848 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2700 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3904 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1548 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2664 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2672 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:8
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1128 --field-trial-handle=1892,i,2946164820390968580,9733999737268224373,131072 /prefetch:8
  2⤵
  PID:4316
- C:\Users\Admin\Downloads\inte.exe
  "C:\Users\Admin\Downloads\inte.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 740
    3⤵
    - Program crash
    PID:880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 784
    3⤵
    - Program crash
    PID:3808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 804
    3⤵
    - Program crash
    PID:3160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 832
    3⤵
    - Program crash
    PID:4896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 904
    3⤵
    - Program crash
    PID:2392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 980
    3⤵
    - Program crash
    PID:1488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1020
    3⤵
    - Program crash
    PID:1076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1348
    3⤵
    - Program crash
    PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\Downloads\inte.exe" & exit
    3⤵
    PID:3552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "inte.exe" /f
      4⤵
      Kills process with taskkill
      PID:224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1376
    3⤵
    - Program crash
    PID:4652

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2396

C:\Users\Admin\Downloads\2ONE.exe
"C:\Users\Admin\Downloads\2ONE.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3604

C:\Users\Admin\Downloads\2ONE.exe
"C:\Users\Admin\Downloads\2ONE.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3544

C:\Users\Admin\Downloads\EU.exe
"C:\Users\Admin\Downloads\EU.exe"
1⤵
- Executes dropped EXE
PID:1436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1220
  2⤵
  - Program crash
  PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1436 -ip 1436
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1564 -ip 1564
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1564 -ip 1564
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1564 -ip 1564
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1564 -ip 1564
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1564 -ip 1564
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1564 -ip 1564
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1564 -ip 1564
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1564 -ip 1564
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1564 -ip 1564
1⤵
PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
d0c8b023ca4ff3f8a543b38b1dd637e3

SHA1
d57fbbc46c43427e995ec264da8a587b115eda49

SHA256
88fa97a63c359bf9207eb2959008f5fcf3299674614e4795e7715eca50842038

SHA512
d11d6a78acdc897b8dd04daf90752f42f828f3a5982a294449e85daf4e1579ddee70c43009b49d96fee440faf7740c1910e9a12d4d21fd934d2d955abdc53689

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0c40e0601411e2257c340229f02f84ef

SHA1
7a7a34ef90a3339c8ffc171c4ea3c552890044cb

SHA256
674ba45940bde668df8365c9dd3c0c70b68cbc5b94c9bb743b19cdd42c8ec9ec

SHA512
949f5109a8221689327976b7f99ad94e102b8f7113ecd2fe0be2e7295cddd2e954b170515ab97f151d4c13d240fe2c0dac8d879d240163b99d2f88a4ba6044da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
182dbe781442655a9f0462925b7e8461

SHA1
5181c921c5dc72b6b1f73dc133ac6f102a440239

SHA256
67aa4435ea76526936ba1a7d4fa664781005aa97781c417bae51836e6bdf6b62

SHA512
6269f4853924d3d7489bc6c7e21f519016fb49279ea960e40cd1c0ab3a99cb6650ad0f8e6fc25e75f3420e63b7e691a775eb4eb9f1f33a04ddfc8f215d0d58fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7aa8fb9757957aa4a2ea9315773100cf

SHA1
d65472a956ec6bdd4a31b0ad27d538ab21f1cf13

SHA256
9dc2d56f5e3dfc70f4534820803d69b6860c643bc9e4f5f79c9b5c8d6abdfe90

SHA512
b803b5275d10c5083a9f8a61266b3282435334fdc376486306b443ae2a6f9af2a48437c0c4f784753cdf2f1b1d1d56d37ddf4e7e7645000753291295ed35ace7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
393ecd830f6eace3d7196701d063ae04

SHA1
4844b1be1cae131df5601fc5a77219ae92fab4e8

SHA256
f25910475a6bda2d5671d44740fd31cd1bfbbed2e32e280761b08658e4c83855

SHA512
d2a050e99770bb57fefa7d7af4fd2d8fe2940a3eb9b1f69ddd0e9361221d6cddc788db7840e03c8ff77b92525706953e33445ceb42803dc57ecd09d2a8ef9f27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7b23b24ffe324a9d06a7e5d3d2266b51

SHA1
36ef42ed3b1c9c15ca4f7d877b782682b16eac0c

SHA256
4986ce22f1d9f3716345fe86c4362afeaeee3d1c97b64460b2f7b0192efc39c7

SHA512
743db6e3e7ed4928f7bbf2ff4fed72aedf60ca9afb7917aebde02a1699467e6d7d7b3b780d37c63a8c9598869baf7eb2178b0b9fb339cb5f553b0c4d4859329e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
af32242a6644b1b9e664c93c048cbb8d

SHA1
8c979cf7c29acba596fcb0612f06d9a0c77d89c9

SHA256
12ad125520a5bc895806697648169feafdba24ed0326e487c5ff62f965aa6e97

SHA512
8534e384d09c23f99e375d27a650d8383ddb880d983284f89f06e1190c1fcc88a52ff54a66bc14eedd75652002eb83f1edb77a802737ba07d58d71ccd44d9697

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3914c459eac14dfcea5d8a0ff54365de

SHA1
8b54295f25222add1f03b723b083283b9a39aaa9

SHA256
db4c1ee7934166efc02a719f140e3dd47e1278243c88a47f9b848359d237adf3

SHA512
178e851eacd2636804ea4a30f6facbb46b14af7c2e8fcfea3ce3c100a53a5435bd884285276a73243adadc9c5e83f7ef339742c0ca01a7dea87fe2ffc1f1e294

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
085bbc5e1dc104d1190ebf3965a81f7d

SHA1
fc742735ed77ccb1ad94da3d35c8cb8853415533

SHA256
8bcc93a813b41feb9854a0b2c022e6f1ca9a23d38e5141794088e1d7a746b5fb

SHA512
68f01719daa04849313f440dbf8a83e8ad687460c5b2ae7db08a1e8566fc70a34fdd46d9d6be314f81573a9c84bccd152c6a7b44477cc26286c10001d959671a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
8f19293c6a3f731b5a93fd4fa29a2dc2

SHA1
898ff916a7b9a9f4714c3a09b2cde7769d643a13

SHA256
b3f0e4ceaa8bea1aad808c45d8b2f76c4bc41861e22d6c48a5f7d4289066c670

SHA512
0da1b84df087cb9426260d3bad9735aa78e04aa77950660d0ee934532c609911c9e82ae55849978e2731a5e904edaaaf8d319ec6ea5afb8e8d01c17ddb318611

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
46d4d5a818e7658ddfac65979c5f51a1

SHA1
216fe81383060ee082375ac9a057245d23def10a

SHA256
5a71908d5233a4d28fee6dbfbde4a89469e8d09ae1bf219a36a852c52b491db3

SHA512
db123790c4f033565f6e01856ebf57dc76b874c0b2afa97ae19f4df0dedc3d5c5d1debb629acf1c8b97ac5e52d128937fec916c0fad60320e0c60cf970dae442

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58314c.TMP

Filesize
88KB

MD5
958146395a9bf8456bc3621a2edd9499

SHA1
9369804f005070607ed9d93d3384788a064174b1

SHA256
ddcb9315beb3cc620589641d63afa5cf2985c30e2c234af087d9e4ff61828731

SHA512
680d5c26c17fb15289ef7cb2544275e7f89139c9b5f5b08bdd4f061713304a02680bff67272b68594d1083cc9c94f178c6cfe123274cd7c93c5147469c3dee7c

Download Submit
C:\Users\Admin\Downloads\2ONE.file.crdownload

Filesize
845KB

MD5
f7ea17cd71f263659d0ee0b82a95fbaf

SHA1
ccca2055f846ca2d7f9e7e25b598630ac2e4e96a

SHA256
159a43318fc1e30622f9851a58e437114a925b4bf734340879dc59387a11debd

SHA512
fb956b7a3fb29c5119f34cfc0d1eea9ddf8e124a90ad0a7c2cfb3b0c2366308ee927e62dda534230bc1f3c91ee41cf7833573ca0969662b3295a552a6eee1735

Download Submit
C:\Users\Admin\Downloads\EU.file.crdownload

Filesize
326KB

MD5
84d89662f4329f2fa4a36cfd32974eef

SHA1
4d77d1cca85f808c1746d961ef47d99f7c971908

SHA256
00ca90e01fedb9c290e30a733e1dd9a7642f57bbdde830c7a5be114f731e3382

SHA512
5a280aaf0ca67647723b6368a956029c8fb951fa2faa00daf6ec2e6e5e0a2e188f8f55bd97a2fb56ebbf3faa349d98f1b2932ab9a097ecaf084c3b8adf8e593a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 691073.crdownload

Filesize
220KB

MD5
cd0fd465ea4fd58cf58413dda8114989

SHA1
2ae37c14fa393dcbd68a57a49e3eecacf5be0b50

SHA256
a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe

SHA512
b05f3e05762a86aa672d3f4bed9dde6be4e9c946c02d18f470ee2542a1d5da1fa5eb4e6a33bffa8ba39e754e34cb53aa1accca8107aae218001c1a1110af371f

Download Submit
memory/1436-198-0x0000000000400000-0x00000000007A8000-memory.dmp

Filesize
3.7MB

Download
memory/1564-236-0x0000000000400000-0x0000000001F82000-memory.dmp

Filesize
27.5MB

Download