9850e6e9809528ccbf2138df0a7fbdf854c331e807216423079640a25424e0dd

Analysis

max time kernel
106s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 20:25

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

.html
Size

1KB
MD5

d5bff93133777a7c593456760a07da9f
SHA1

9d7a3d892828e0147ed40215bebf980e0b803b45
SHA256

9850e6e9809528ccbf2138df0a7fbdf854c331e807216423079640a25424e0dd
SHA512

5aeee735f49bdb6470098d82b5e14c3afba34e7be6518385b6c57782d7611e2d701a2b293bea1aa3ff922d45772e47228fb782002f9d3a1c3d23a9302c0d2c64

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6084e96f1b06db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd30000000002000000000010660000000100002000000000e736be671939e4fe7f99d03e183ad39f57e1dcc836ad5e8623ffa5ad3e14cf000000000e80000000020000200000007ccac01c3d0e2afd4c8f97f821c9db4a188c0e1fad05eba3f04262c53e2cef8020000000a610e4a3b2c847ed7fd2f63c2b5492f7a14a332fbbf10b548bc77a4ce3c7de0f4000000008b43686e4d041d1bb475dab14a4d4d4b92589a739e3fafad49ac302fcc597da5860337e854d395917f45e6f708036f6b23c510fe79934e21438b7d3d6277fe9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9B578701-720E-11EF-AA3C-F2BBDB1F0DCB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432421120"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd30000000002000000000010660000000100002000000005f63e56e75266c29ed1dd38979076926059914ab8cd01d7b95e2274a78ce11b000000000e8000000002000020000000d9eabae3956502b0ecaf418a6b713306557cd89330968f7b86c4eacb0405753a90000000d5072581d39c70f7670f0614d22305dfd186d862ae076d8cb3ddd0c51fb59b62008eea4050ca5aed600690f4d6c1e547b14e14e8538ded917e61c1f1796d3b8f4a9b4883d8adbe49820221856f92103854892d240732c46cd57a5a6742cf3389be68c2fe2def3421774e6884253e5c864a4b0b01f0225ee369d90b318f895e3a96912a77f07610f95d60501e1fe75e08400000005bce9e28132bace0486b693130b4e2ba3859ff930620b5468205f5a375a107e1479a14d11fa322e11bfb518dc4c01b34d1444a0b6871b5049b4aa7b2a383501c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3036	chrome.exe
3036	chrome.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2248	iexplore.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2248	iexplore.exe
2248	iexplore.exe
2312	IEXPLORE.EXE
2312	IEXPLORE.EXE
2312	IEXPLORE.EXE
2312	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2312	2248	iexplore.exe	31
PID 2248 wrote to memory of 2312	2248	iexplore.exe	31
PID 2248 wrote to memory of 2312	2248	iexplore.exe	31
PID 2248 wrote to memory of 2312	2248	iexplore.exe	31
PID 3036 wrote to memory of 1540	3036	chrome.exe	34
PID 3036 wrote to memory of 1540	3036	chrome.exe	34
PID 3036 wrote to memory of 1540	3036	chrome.exe	34
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2600	3036	chrome.exe	36
PID 3036 wrote to memory of 2696	3036	chrome.exe	37
PID 3036 wrote to memory of 2696	3036	chrome.exe	37
PID 3036 wrote to memory of 2696	3036	chrome.exe	37
PID 3036 wrote to memory of 2556	3036	chrome.exe	38
PID 3036 wrote to memory of 2556	3036	chrome.exe	38
PID 3036 wrote to memory of 2556	3036	chrome.exe	38
PID 3036 wrote to memory of 2556	3036	chrome.exe	38
PID 3036 wrote to memory of 2556	3036	chrome.exe	38
PID 3036 wrote to memory of 2556	3036	chrome.exe	38
PID 3036 wrote to memory of 2556	3036	chrome.exe	38
PID 3036 wrote to memory of 2556	3036	chrome.exe	38
PID 3036 wrote to memory of 2556	3036	chrome.exe	38
PID 3036 wrote to memory of 2556	3036	chrome.exe	38
PID 3036 wrote to memory of 2556	3036	chrome.exe	38
PID 3036 wrote to memory of 2556	3036	chrome.exe	38
PID 3036 wrote to memory of 2556	3036	chrome.exe	38
PID 3036 wrote to memory of 2556	3036	chrome.exe	38
PID 3036 wrote to memory of 2556	3036	chrome.exe	38

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ce9758,0x7fef6ce9768,0x7fef6ce9778
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1088 --field-trial-handle=1368,i,3914336059044028827,7653938220289484203,131072 /prefetch:2
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1368,i,3914336059044028827,7653938220289484203,131072 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1368,i,3914336059044028827,7653938220289484203,131072 /prefetch:8
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1368,i,3914336059044028827,7653938220289484203,131072 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1368,i,3914336059044028827,7653938220289484203,131072 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1464 --field-trial-handle=1368,i,3914336059044028827,7653938220289484203,131072 /prefetch:2
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2220 --field-trial-handle=1368,i,3914336059044028827,7653938220289484203,131072 /prefetch:1
  2⤵
  PID:2176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2548

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\OobeFldr.dll,ShowWelcomeCenter LaunchedBy_StartMenuShortcut
1⤵
PID:1600

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1712

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1332

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e8
1⤵
PID:2612

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad25912c7c11be2b329c40f3214a7b3e

SHA1
32ffed498564c91d15b383334f41d356c351b51a

SHA256
acaebc1505eae2b77be62d1ca01af713b635a1bea838a644d079b0289260e8b4

SHA512
a0cc5da0ed63753e87a8cf8ef3f2805870a26d4912f68d48a8f71654f4df888057870950106ddd109f3e28c7e5fb09f8689b7d689f44afefd9c67626f878cbb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ef66484598176de781e338054cd3e4d

SHA1
1019bb249fc31472a6fb6b78be8c2624a0d59c74

SHA256
812a3ddda03d03d51191502ee99ebc5ca73f207e9f330f029d66d26ce7df15f2

SHA512
23624937d5dc7f0ab888af669875f5dae2d1b461861a271e01f773d90fde412580626b029c852b5ac4ba93fef5ccf6b2afe0da7b797c86e7613a2e7fde285f1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03995b2c08fffd1cf5f64c4315200fe8

SHA1
d4917c4a9a2255209c34774904c4834d15f03289

SHA256
5402c69eadc606f8d672c5842c411f1890256c35535b9b78bb29ecb131a50de6

SHA512
0872498401019249f16983d75c23119f07a4c473a9c6b97776aa63705fb8d5bcc8c99e7388e67a384d5e6db0e02282d5a695c0a7bea2a86940f1b74e2b006ad0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f88d2ac8f73869a91cfae6172a2e7942

SHA1
92d94a691937908ec5fefaf87e2f290eecde8d92

SHA256
799ce50ef7ed9755416d6b29f76133f970fac23ee72812a95f5a4da5d5ec6923

SHA512
94e22292df037812cacbefa37a6953731f9f355db18ecffbaabc74830c8e465b6751d4a64517e5fd383d1830215e7466b81b9ed1b318bb727c40dcb64288b0b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a1af849ddb98dabdcb56b57f2247a66

SHA1
8dc51ecd6a0e455c606012f8df3177b03c77b986

SHA256
e0d916e09f4fe14a8d5aa0145a3914189f54f52ca8043ed66bf9bf333cc9cfd9

SHA512
86a36e142f8e30eee6e521807e3b7693d69ec05fbb5e32e82b0fcedd79148bbdd9469fce5854fa6681588ef7eaadca383bbc7af17152a1f9d75cbaeb8240fbe6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa767ecfa906a38cb91bdc4821817a3d

SHA1
b88802362577a7df8c98763f838ae00b83fd9268

SHA256
d45ab4bddead0abde86f3ccdc41986e35bd0ca6c8b079b1acccf62044f18c6fb

SHA512
833127e59f4f86648427d6c111ebead6c7c5ea02a90ce8ccc10e20194ac57e806a104dedaadf971ab664fe6b962b00e0144235fb33c027a11be708ee2e4708df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eebda8f51d4e6b5c9f69d278416769d1

SHA1
ec449ee637c4920a29bc5b66d7b0b5a09ef842a5

SHA256
a3da90b7b88f31b287ed71ede91c5a22b58d557caf4efc713bd2c82e6b62d5cd

SHA512
b0d950ce71af953859fe62f326340d9174402c813836f64161796a5767d8159d43fe35731973f3feac5e56c802be23a61b84eefecf2c997580c5c3d481a30166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8afce8f1b8990835a48c37d3bec87fe8

SHA1
635eb5bebecb13284c5142dfcd878ae594f4dd47

SHA256
b36de3e70b1b2e9c8a92788e889bd1f9d4634bd50b66d5c1faa21496762cfed4

SHA512
51792c28dc558ae890c440f08e8e51a0784c0f994860b95da22fb3562c9dddc782fb564df20d7a1343a37041057353fdd052d04945702a8bb5eea1d54bad151d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66a4a9545c24776eee27a475b8a9a322

SHA1
d29af21cc9f8acb8d789dd73d67aed03430d536a

SHA256
9e0ad6d071c137269b624976f77b0ad27accad7145a7289b4a6917e931f7c298

SHA512
23117f0f5122c3b51f45d6721fb3bc8117660f5c3e23b1ed0b7f2e7c29e6404110de1df21370d6588f447aaf52bb1a58b5270a9935fbd31f3856b61be003db38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
42f694c4ca8f2a3a76c160e8ef3eea09

SHA1
57d50f9f0ac8d4a6f5b4d7beb02d437a1269b81b

SHA256
0178140c8e9a6034b7f54b59fcc6a0a2581ab0fb84aec095527639b22cae1c1e

SHA512
2f83524d0817d1d488937874ee75eb3fe8c12eb15e6c4a5d56c2fd566a5a5b4cf7d8d7d6fc02dd8e8dc160a929ab8408b249f5f067f43ba8bf7b26c336337192

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
338KB

MD5
4a37d78f290b02587622e1bd67b9d5e5

SHA1
13e97f7acb3eb2602a3d079b55eb07c92b44fcd3

SHA256
79b19b8f0e1bf5350ec0ba5a6cd06399374e23b054404c1a56724df695007783

SHA512
da7cc5bb9a5ea4031abce1e4fff3f4cffb9a550db10ba5da7438649a961769516aa603bfcdd2a3dc876ea3178f71f79da74fe3fcd0a3123a099fb93289f3cb7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCA1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCC3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit