hxxps://covid19[.]protected-forms[.]com/XSDJrUUx5S2tCaUw3ZTBpN0tsNXc0akJjanJ0YWlaRXNacitIa2k2Z1U5d2JQeDAxY0dTcjZ0ZXdYVTZLQzRTaldzQ3JkZDBPSTRsemFwVnJ5MVpGZXV5bjhxWnRCN1RSUXF1cUZhNm9HU2lKalZBakpwN08zUT09LS1CMWs2bFlwa0NFajhzTm8xLS00Tk5jUTBiVDczYVY2Z2JESjVlZ3Z3PT0=?cid=2196429275

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://covid19.protected-forms.com/XSDJrUUx5S2tCaUw3ZTBpN0tsNXc0akJjanJ0YWlaRXNacitIa2k2Z1U5d2JQeDAxY0dTcjZ0ZXdYVTZLQzRTaldzQ3JkZDBPSTRsemFwVnJ5MVpGZXV5bjhxWnRCN1RSUXF1cUZhNm9HU2lKalZBakpwN08zUT09LS1CMWs2bFlwa0NFajhzTm8xLS00Tk5jUTBiVDczYVY2Z2JESjVlZ3Z3PT0=?cid=2196429275

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1343711502"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132245"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7BADA8D0-7648-11EF-9912-C63D5579F9B2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31132245"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1348867667"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074472bebe7af3a46942426e1e277b42a00000000020000000000106600000001000020000000e5b0ead47fa79c1400a5a0445c721cc3936f5f998f2b2f28b1ff40cea39a1667000000000e800000000200002000000081606a95e5d186cd633f7153a46eb541cd3f1758fe490d80ff14251ace36c9de200000008c7965a853e0f6696f13972c879d72439af97296936b5c9f3e1562c3b5ba45e7400000009169003af102ff303dc4d4d8a578fec8678a440d05ef738e596ea50499380990d96f4bc3c15aec2fa819b0d94e2afb680dae3cdc99efcf86a7bde2c66506efc2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1343711502"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132245"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074472bebe7af3a46942426e1e277b42a0000000002000000000010660000000100002000000006e97ded92d20fecbd9ee44af355fe9f7ba22371ff74a2894478c85f5768b344000000000e80000000020000200000000595b34ed0fdc6f04338d49ac469d62ae42dc342a724d6e5e045d1eeee9f19bf20000000e5465a2486195a16ef46820b268b83869ed81d8ce7887ebb59c862b183ccd3bf4000000009ba9cd6bbca7db24653c5fe4228bf58664ceedf58353c4402cf6ccd1c616253cb9066d411b8275d216e34b197015d562f7c04c4fe190af31cfe4853c8bddf86	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433488890"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30b0d350550adb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 206bd850550adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133711975117234499"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
412	chrome.exe
412	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
412	chrome.exe
412	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe
Token: SeShutdownPrivilege	412	chrome.exe
Token: SeCreatePagefilePrivilege	412	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
1228	iexplore.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe
412	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1228	iexplore.exe
1228	iexplore.exe
2516	IEXPLORE.EXE
2516	IEXPLORE.EXE
2516	IEXPLORE.EXE
2516	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 548	412	chrome.exe	82
PID 412 wrote to memory of 548	412	chrome.exe	82
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 2988	412	chrome.exe	83
PID 412 wrote to memory of 592	412	chrome.exe	84
PID 412 wrote to memory of 592	412	chrome.exe	84
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85
PID 412 wrote to memory of 3744	412	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://covid19.protected-forms.com/XSDJrUUx5S2tCaUw3ZTBpN0tsNXc0akJjanJ0YWlaRXNacitIa2k2Z1U5d2JQeDAxY0dTcjZ0ZXdYVTZLQzRTaldzQ3JkZDBPSTRsemFwVnJ5MVpGZXV5bjhxWnRCN1RSUXF1cUZhNm9HU2lKalZBakpwN08zUT09LS1CMWs2bFlwa0NFajhzTm8xLS00Tk5jUTBiVDczYVY2Z2JESjVlZ3Z3PT0=?cid=2196429275
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9a90ecc40,0x7ff9a90ecc4c,0x7ff9a90ecc58
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,18251656038554810282,13725486776525757009,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1720,i,18251656038554810282,13725486776525757009,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1620,i,18251656038554810282,13725486776525757009,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2420 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,18251656038554810282,13725486776525757009,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,18251656038554810282,13725486776525757009,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4488,i,18251656038554810282,13725486776525757009,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4940,i,18251656038554810282,13725486776525757009,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\XSDJrUUx5S2tCaUw3ZTBpN0tsNXc0akJjanJ0YWlaRXNacitIa2k2Z1U5d2JQeDAxY0dTcjZ0ZXdYVTZLQzRTaldzQ3JkZDBPSTRsemFwVnJ5MVpGZXV5bjhxWnRCN1RSUXF1cUZhNm9HU2lKalZBakpwN08zUT09LS1CMWs2bFlwa0NFajhzTm8xLS00Tk5jUTBiVDczYVY2Z2JESjVlZ.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1228
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1228 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4996,i,18251656038554810282,13725486776525757009,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3332

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
33bac9325241193616461afd5a0deb0c

SHA1
e78ed72996568bc9616f4d6b20403749252b4859

SHA256
cb0b78d15b774b91ab6f6ef315a14f301b85b40122a72622818753212538f5b7

SHA512
3054cbd1551e36a747fc4c7086d3cc484530ea13d44279b4f5f92d462d91d7e3322bb240edeedd517751c00949a6264b50322464e446290726fde18ac4eb2e2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
6d1fff98b10a7db9f3938c752f166657

SHA1
fe952f96ae35d97b4889cff2054722c9b5de69d8

SHA256
f4b0147f633406ff729149643023728930b71ae8ff74dcbff39526801ca763df

SHA512
876acc41f863b4cc3d3501aad3e3e721f56fccd710b304137225f74fa3b1141828524b95f313cfd8e2c5829414cfdb58a795f257c159658793163c8b6cce3fcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c2471ee8a0bf1d66ac7973ae208b3eed

SHA1
5e1a1ff93e9b1a1c410ab0e10e9b027555f8ac8b

SHA256
d545e592a3419172e3f231902084045155dc445e898a757df3dd1cf36ad20dbf

SHA512
12b34b5f3f70554172f86c9d53b43429284f0a317e7504e6d8d9302422a3811d50881611d246d5fef8d48c0cc6d5ac952229ea113a5e8639b4815b813c46eaea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
18c3b753a3c6698dc694fed5d930ba06

SHA1
3348c759aaf1f9e0f88bb6a8bb013a60ef688475

SHA256
d593efbe29472e9e5d4d2e332311ce7c81c95fc200485597f3c6d64e9528f50a

SHA512
ca69200bba8739626125873d3ac776642693c214c3a7512f8bd9d5dedcabef0f86d7e8b622c81697caf22b33f82c31cd4e37e33f6ac440dc68c079e5e07e7456

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
961466bfeb4d527fc4e27a338434fef7

SHA1
328e493c02885970b1c033044eec2e33bcf87536

SHA256
25cced124e70e9f0f065005cfe017ea65cc5ca9a7f848d418b3421c177d41500

SHA512
d889896216c728c97b08ff6b15cb885210b6328532ba51e0aa99533ecd7ebd80bb29f3e557458a4fd5d623a9f418ad3b99d376b9490c2fe40aefd47e9bd7e43c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
29b458880b6fac04657c6add41a239e3

SHA1
82137bc6022e74d1137f992bffb8b397a856c383

SHA256
2bd42d9debdb982e7e2dd6b168bfa73a7d81c7a25428868ab8224c8e0c7fd7b5

SHA512
31fc2b186a12b3d0b5324a52a7c4fca0f407f8990436d0ecda2198158759295b75c025f9d7e48f0e34f9da0d9560140c3583b53fe83696ecd46c72628446e159

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
27b9da334eba3025822ca9285ab32174

SHA1
ab1b329c54808f071d433e7e70c1542b940ff5f8

SHA256
476e10ceda419db00cd9e9f616ccc1004f8b07bf568c3935c5bf5a51e450b367

SHA512
80377e379d766b633e3d4f04c75ab7e2a3c5e336003348a1c61533fc9a2b710373429170cb1874d5f0f1f7acc5e4eb8bb03650ef88071c78824905eadc16409a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
97859a73789a751e59b7da7a739c90b3

SHA1
295dac721362f7db8982ab2126b52fb8d84fa3b0

SHA256
0d730ae96067edeb4229e0205b6136e690dd314064f2577980bed6b126095115

SHA512
d768b16e335f840d9e4e5039096c60af70bc6e111b779a8956e263ab5666d60553d3e63bbbe5d83437eff4bb8a959e8f3c3a16af9de76da7fb942fa59d09effb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a033355775586945c12085e3d1e8da3d

SHA1
b060325e5be1b91c0740c72bfd58b65fa30524cd

SHA256
f5d418e09dbdaade2c2db13f088f2363d2c3265bde9bea5c07c67ce36ea275f5

SHA512
dcf7a0330d25633c1a1eddf22fe081c8a7ff2cdfc841fb5a1a4357129c166cfb98522dff1256db6c23ff377538c0337d1a51833eed022fff96d80bdd603a8f60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dba7e27a10014672dd5396f5f0346d16

SHA1
c5473c1245e04f00df0e3c4208ac94b6f8cc1b3b

SHA256
5271d761526e6a5d171a1d0c7a87a893447398be2b2246e2044ae59d96edbb0e

SHA512
bb2847dd5ca7522ba117a80f3c159a365a42838abf3d389e74de8fe413259d81269843ee0f53eab565cb1626747a8a91828bd911922ecbb10604ca12ccabbc3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a4b2327e1247d54c5ddbb6d11b92a7c5

SHA1
a0f00612f4950fefd426c04c2c891950c9c8f653

SHA256
95ca89b194e2e85f8ed7aeff84480a8d8689f323dd3ae1f4a21b1deef77ebdb1

SHA512
0cd70f13878fd5a154b4f1d8cc9bb38244dba1f428ff22c6c7011dfa674e91c7c07b4dfb7d7f219f3468a471aaf69261b57052175b348f9a9d080ad1a2bc9b6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d9b73bb56754f27b39d9b9c7cf1ab28

SHA1
6dbcbc2ad7bc33855bc997fcd99306faf02ee33b

SHA256
89e8e89ab406f7d6576be36a256163c63a93488fb3b88454166e6dc413dda2c8

SHA512
41d48e2456e6406db1a4aae0a2acd8b0938a4cf2162dbaf96cc3a566140ffcb7d8675b1be431afa304a944c1e56852ce718e0ace075a0d0e42e682bdebc775ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
0d16ad845a9268331a836cd6dedbddf2

SHA1
2b748dd8bd5de8f683781b8d1d95ba9037d7ac3f

SHA256
44eb71a4dfdbd2c9225f28ef6454bcbb1286ff67fc6a75fc40c58d5548e3cbe8

SHA512
5113a3f460a4eb22839e2e9d545449c094c3836e897b62e2cd80c1ed734e4dac553393bcfb81ab82c758150ebfb4afa572ab9174a3883dd31f5466a978175b08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
d5cf74de31e6a95d56d5212afa88a30e

SHA1
6af0add9cf21a73577443fcb0b5221b852fe452b

SHA256
3f0a8987c2fa5973ece39cc5715080e25f360868762bbe0685dc3d3a9158a6e4

SHA512
08bceb41f353e3ac1d163bdff7be77063f06d4ec5836a3f73e2dce0e6c3a9413aebcb77c36abac023d24cfc292482a00e5b585ed2e9b34190aa4b159c4a9115d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4329235D\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\Downloads\XSDJrUUx5S2tCaUw3ZTBpN0tsNXc0akJjanJ0YWlaRXNacitIa2k2Z1U5d2JQeDAxY0dTcjZ0ZXdYVTZLQzRTaldzQ3JkZDBPSTRsemFwVnJ5MVpGZXV5bjhxWnRCN1RSUXF1cUZhNm9HU2lKalZBakpwN08zUT09LS1CMWs2bFlwa0NFajhzTm8xLS00Tk5jUTBiVDczYVY2Z2JESjVlZ.gif

Filesize
43B

MD5
07fff40b5dd495aca2ac4e1c3fbc60aa

SHA1
e8ac224ba9ee97e87670ed6f3a2f0128b7af9fe4

SHA256
a065920df8cc4016d67c3a464be90099c9d28ffe7c9e6ee3a18f257efc58cbd7

SHA512
49b8daf1f5ba868bc8c6b224c787a75025ca36513ef8633d1d8f34e48ee0b578f466fcc104a7bed553404ddc5f9faff3fef5f894b31cd57f32245e550fad656a

Download Submit