hxxps://malshare[.]com/sampleshare[.]php?action=getfile&hash=b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22

Analysis

max time kernel
26s
max time network
30s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://malshare.com/sampleshare.php?action=getfile&hash=b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sdiagnhost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000167a9e7b2c11e5329d0c45d024f6b6960534757bda6b5e285fd9d1e60a3e5199000000000e80000000020000200000000f8992c2240734737c43aedf703dcdf53147926abfea494641db548babff23b520000000cb62e6a58d01df371188d025b902f5f3ac45cef4723bf30fbc4ceda0b250da60400000009bc56b7773d2594fcc62d18ac4b06af05f767b5774d98dcfc6154cb039a6d58450fdc032cabdb204a30dd886fdb27e68c7f2f101f794cf689273deac81679c85	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{10086101-5F36-11EF-A6D9-6ED7993C8D5B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000d9f6787117d695c0357ebf8c637a63532d7a13e874ff5f77ed14684bfde567e1000000000e80000000020000200000004196c07c20d9269dcec3e17d18d932723c332c7ccbddeb100871a016fcf202019000000084e0e1d516a6e88c74cfda5fa29cd5d40f75a72909f97182cc88989546a310ebc7df1edd2bc35ae84cac9d354a2f4b02a76692ca6498b12f68fb02627106ab1eaf08b41432ac9ed33a538606d14ea55d0bb49c33eea41ebdc2854720db7311c4622430fd17230e75eff538db415dfab911b8d1fd003c01b79284c7f2a6c6940b4971d49e55ff8c9058cc7d511b88d1c64000000088412a7fe1ccf4f0bfd4584e473295db4e5e02e1d79e77c1346979fdcd72414d47097b22b9c43694b0397219936235daf805d324a3d611dc481da8e1c5815d49	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d044ffd842f3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2708	chrome.exe
2708	chrome.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1220	iexplore.exe
2636	msdt.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1220	iexplore.exe
1220	iexplore.exe
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
1220	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2436	1220	iexplore.exe	30
PID 1220 wrote to memory of 2436	1220	iexplore.exe	30
PID 1220 wrote to memory of 2436	1220	iexplore.exe	30
PID 1220 wrote to memory of 2436	1220	iexplore.exe	30
PID 2436 wrote to memory of 2636	2436	IEXPLORE.EXE	33
PID 2436 wrote to memory of 2636	2436	IEXPLORE.EXE	33
PID 2436 wrote to memory of 2636	2436	IEXPLORE.EXE	33
PID 2436 wrote to memory of 2636	2436	IEXPLORE.EXE	33
PID 2708 wrote to memory of 2760	2708	chrome.exe	38
PID 2708 wrote to memory of 2760	2708	chrome.exe	38
PID 2708 wrote to memory of 2760	2708	chrome.exe	38
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1944	2708	chrome.exe	39
PID 2708 wrote to memory of 1044	2708	chrome.exe	40
PID 2708 wrote to memory of 1044	2708	chrome.exe	40
PID 2708 wrote to memory of 1044	2708	chrome.exe	40
PID 2708 wrote to memory of 1108	2708	chrome.exe	41
PID 2708 wrote to memory of 1108	2708	chrome.exe	41
PID 2708 wrote to memory of 1108	2708	chrome.exe	41
PID 2708 wrote to memory of 1108	2708	chrome.exe	41
PID 2708 wrote to memory of 1108	2708	chrome.exe	41
PID 2708 wrote to memory of 1108	2708	chrome.exe	41
PID 2708 wrote to memory of 1108	2708	chrome.exe	41
PID 2708 wrote to memory of 1108	2708	chrome.exe	41
PID 2708 wrote to memory of 1108	2708	chrome.exe	41
PID 2708 wrote to memory of 1108	2708	chrome.exe	41
PID 2708 wrote to memory of 1108	2708	chrome.exe	41

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://malshare.com/sampleshare.php?action=getfile&hash=b1f2068201c29f3b00aeedc0911498043d7c204a860ca16b3fef47fc19fc2b22
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1220 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\msdt.exe
    -modal 393562 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDFE994.tmp -ep NetworkDiagnosticsWeb
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:2636

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ab9758,0x7fef6ab9768,0x7fef6ab9778
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1264,i,16299528322505298048,14196313912749943818,131072 /prefetch:2
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1264,i,16299528322505298048,14196313912749943818,131072 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1264,i,16299528322505298048,14196313912749943818,131072 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2176 --field-trial-handle=1264,i,16299528322505298048,14196313912749943818,131072 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2188 --field-trial-handle=1264,i,16299528322505298048,14196313912749943818,131072 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1364 --field-trial-handle=1264,i,16299528322505298048,14196313912749943818,131072 /prefetch:2
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1412 --field-trial-handle=1264,i,16299528322505298048,14196313912749943818,131072 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 --field-trial-handle=1264,i,16299528322505298048,14196313912749943818,131072 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1524
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f7d7688,0x13f7d7698,0x13f7d76a8
    3⤵
    PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3788 --field-trial-handle=1264,i,16299528322505298048,14196313912749943818,131072 /prefetch:1
  2⤵
  PID:1868

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccb777c95e4664679157aabcddb90a5a

SHA1
3d0a1fa0593192014b4d008fc3bef8543f332369

SHA256
7bcb51465b6685a92332447ceea0805ec8ce28a5881cee7ff02e00d94a6d6c92

SHA512
4c30c554e3299006065e0e22f4e252ff6087e81a145a72981939b695bbd96eb6d5c7cd184cfd14be6b69191a585c0ee42fc707c1839adef1aee0998063245f58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e2ce71721f143cbf852bcb79efa5661

SHA1
06a1a72ccecf31144cf1cccbfa7a98ba6e18d2c5

SHA256
f120aa3500f5946f217c849278f3eeab13295e828fc3068a373a07eafd37b950

SHA512
c40a70676970edd09607abd0b1c08a8ff6dc4b4d0e611e6912d1fcb4677cc1ff96313615ad9e1652c1a950f48d9a7f5a66ee1801e7bcc779918e96f13b65f6dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ea98927024744e29b10c3c4515c5de9

SHA1
b9fe4ba3e9c53937effc8999b7724173d2e21c6f

SHA256
f043efae684317c74f1ed4ad21e82f5943ba5c13313a97b6780e3c15feb4b80b

SHA512
57d656e39d139bafb76b8747937e22a29375b47ac4720c0fef3b75278860c6f5d854fbd607e191f2d9c5c207d6ffd73e1cf5d53c42a91fbf6c6e5087b16af292

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d967bc00efb73ecbbb160319c50dd096

SHA1
c3c0f9c347bda4a61739e4909b37f04ce39fd4af

SHA256
f5818003c3aea19c8427b1e11e9b14925c54331b1c5610ba79e56648210cdc24

SHA512
7646f188d91ff1e87b422b2ce06eda3ec1edf6f18ccdc185d5aa312adfce81410185c794a28fb4c3c189d146b24c2f532bde8287dc1c05b59f376dc1efa2c33b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a97f553ca4878c281fa3a11c73a3a28

SHA1
438a32ed5513645db8b0988791125649eb790d78

SHA256
7f69f301a6edb761f6475947d155a7de9f574d51df58ad0f74edef19b3ca734e

SHA512
63f68951c1fa6cc25a6d75e04f1c17565461743c1b26e3d36d661f497be3499916d6f650eda049c0b0609a93e496a0b6c25ecf6a76e1b10f41c944233cfd5764

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
034f3baeb4a30459d90171cba91f01c5

SHA1
455228089e5439b4f3debd376a99f20608638251

SHA256
f47c7b9875a3acd0f2255fdb6813806765ab2c2653f0adec192b1d447a2f6f02

SHA512
0d421e324813d0db29449be9c9e4f770ce1a7fdfcf8fa2eeef795963681b6ff684f9f956001e42470ff5c60b396025941f3c8d886f9c782a225b652a9de8f612

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b9d1ddfac4afe3750d3670927813718

SHA1
3ef74b05cb61c45b0cc279da682378c7a94aae65

SHA256
d1646d94e59c0195338b2cced7bf14ae842dc8e4c38b360a0f998583c4ec0d29

SHA512
3fb96d18698adc8c8b857b83347f4b002821ed8be34c05675c5b8a849d2fef45ceb630f95b6ff7e40b0f65aa1b4c039c4a2770fc7d7120c3dcb9e3891640e819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fefcafc0964078a42aea7882263e28d

SHA1
6364c67c80e18e5dd23f7a009a77f27b50d3b03c

SHA256
b78409312eca45a98b84e8cd079a13376b346e1094ab8afa12e263f0d96aa0ea

SHA512
3cebef51f332bf5e9d0edc2d5c6efb30ee135d2e4a04f3b04b9ca32aeaec6c8b072baf3ef3ffa939f1e153ff02b792ee9fcc41dbc997f74d3414fa2361499d9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c216ecd7559a0fe52e57338b3c58a51

SHA1
49fcf259511cdddeb5569af6c665ee87498629be

SHA256
578d9607d5bc883c47a5c9311a43528312ebd87dad73c8e642c348a1ea1897ee

SHA512
c6cdb50e3e832e6b6e5bebf12e4a22627dd8b2de1ae2634a4fc78c38da56145e03129ea4155fa90e0ac5bde02f1e1b2fcca9d6b07473ea348e05726294ef71a3

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024082020.000\NetworkDiagnostics.0.debugreport.xml

Filesize
65KB

MD5
d102932c1664c93e78f60d1f93295c46

SHA1
3eb994c38c85fe811560383c611e5e567d297338

SHA256
51dd270537c47cb9166f48d9cfe261bb539b0781250fb63d5dbc50f07331d885

SHA512
b0949e4d33832697a5d0887fdfb460b2fdfeba94966da87e865d322437472f9b7485b1cabc8699742758660540669d8f95ceaf8e86d591d0ae6c76a264d2cef3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
824d7f51727815847e9d370bdec304b9

SHA1
af9766aa4fe0c6185fafdfcf33f4a5b7194c68cd

SHA256
e3c354a8cbc37b4ab0bb594c49da2fec568484fbba545f750b70bc18566840ed

SHA512
92a42a523359a93bd9899df0e8f93328c69a6086daa1b4f88b69ac5409bd5cc67d8982bc056289089850551a0e7434a75bd1a192a965f12354cdc64ecc4c0d00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEF31.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFE994.tmp

Filesize
3KB

MD5
486d77cd83dd7863be0ecf2afb327b9a

SHA1
d3d9f629a7a74c7c4a657fb2622944e4bd777a07

SHA256
c2dc91fcb6086184eaee44a8e35d030223403dd444fbd777c49506f2e5466323

SHA512
89f3e95758a52cae6abc28bbad4eba017c4e1f27da194f0bc60b1cf0f469342f5f0285e40fd961f638b7cf086a9fb4f003f7ec87de0824f8e52c93bc7f833e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEFA2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\TEMP\SDIAG_36695ebd-c8fb-4afa-aeab-36041a1b2925\NetworkDiagnosticsTroubleshoot.ps1

Filesize
23KB

MD5
1d192ce36953dbb7dc7ee0d04c57ad8d

SHA1
7008e759cb47bf74a4ea4cd911de158ef00ace84

SHA256
935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

SHA512
e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

Download Submit
C:\Windows\TEMP\SDIAG_36695ebd-c8fb-4afa-aeab-36041a1b2925\UtilityFunctions.ps1

Filesize
52KB

MD5
2f7c3db0c268cf1cf506fe6e8aecb8a0

SHA1
fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

SHA256
886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

SHA512
322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

Download Submit
C:\Windows\TEMP\SDIAG_36695ebd-c8fb-4afa-aeab-36041a1b2925\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_36695ebd-c8fb-4afa-aeab-36041a1b2925\en-US\LocalizationData.psd1

Filesize
5KB

MD5
dc9be0fdf9a4e01693cfb7d8a0d49054

SHA1
74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

SHA256
944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

SHA512
92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

Download Submit
C:\Windows\Temp\SDIAG_36695ebd-c8fb-4afa-aeab-36041a1b2925\DiagPackage.dll

Filesize
478KB

MD5
4dae3266ab0bdb38766836008bf2c408

SHA1
1748737e777752491b2a147b7e5360eda4276364

SHA256
d2ff079b3f9a577f22856d1be0217376f140fcf156e3adf27ebe6149c9fd225a

SHA512
91fb8abd1832d785cd5a20da42c5143cd87a8ef49196c06cfb57a7a8de607f39543e8a36be9207842a992769b1c3c55d557519e59063f1f263b499f01887b01b

Download Submit
C:\Windows\Temp\SDIAG_36695ebd-c8fb-4afa-aeab-36041a1b2925\en-US\DiagPackage.dll.mui

Filesize
13KB

MD5
1ccc67c44ae56a3b45cc256374e75ee1

SHA1
bbfc04c4b0220ae38fa3f3e2ea52b7370436ed1f

SHA256
030191d10ffb98cecd3f09ebdc606c768aaf566872f718303592fff06ba51367

SHA512
b67241f4ad582e50a32f0ecf53c11796aef9e5b125c4be02511e310b85bdfa3796579bbf3f0c8fe5f106a5591ec85e66d89e062b792ea38ca29cb3b03802f6c6

Download Submit
memory/2552-835-0x000000006FFC0000-0x000000007056B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-361-0x000000006FFC1000-0x000000006FFC2000-memory.dmp

Filesize
4KB

Download
memory/2552-362-0x000000006FFC0000-0x000000007056B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-363-0x000000006FFC0000-0x000000007056B000-memory.dmp

Filesize
5.7MB

Download
memory/2636-360-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download