106bf123359d03963b1df1011fb8560aaf1c5e811de775dce1d8a53758a69102

Analysis

max time kernel
124s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

procexp.exe
Size

4.3MB
MD5

94c60e6704b5dd11a139f2ffebde9135
SHA1

cd89f1cf9428a3eab554a3eb9ff6ca869e5bc368
SHA256

106bf123359d03963b1df1011fb8560aaf1c5e811de775dce1d8a53758a69102
SHA512

586bf326eae890379fcc7ad60e0a70384d069898aea46da32baf6bd60854df97b461019beaf17744ba3dfc0e70eb75970b977c30f035d296ae89763605d4ff6d
SSDEEP

49152:cGNq7FBhpRWa3viMRIcDdxw6dXF3W1QrL1UDq3P8mlp4DOXUxm:cGejpRWafEkRW6OHmrZXt

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2120	procexp64.exe
1176	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
1356	procexp.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	procexp.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0860821-77C4-11EF-AD2E-6E295C7D81A3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433049080"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2440	iexplore.exe
2440	iexplore.exe
1240	IEXPLORE.EXE
1240	IEXPLORE.EXE
2440	iexplore.exe
1240	IEXPLORE.EXE
1240	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2120	1356	procexp.exe	30
PID 1356 wrote to memory of 2120	1356	procexp.exe	30
PID 1356 wrote to memory of 2120	1356	procexp.exe	30
PID 1356 wrote to memory of 2120	1356	procexp.exe	30
PID 2556 wrote to memory of 2164	2556	chrome.exe	32
PID 2556 wrote to memory of 2164	2556	chrome.exe	32
PID 2556 wrote to memory of 2164	2556	chrome.exe	32
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 2836	2556	chrome.exe	34
PID 2556 wrote to memory of 1744	2556	chrome.exe	35
PID 2556 wrote to memory of 1744	2556	chrome.exe	35
PID 2556 wrote to memory of 1744	2556	chrome.exe	35
PID 2556 wrote to memory of 2356	2556	chrome.exe	37
PID 2556 wrote to memory of 2356	2556	chrome.exe	37
PID 2556 wrote to memory of 2356	2556	chrome.exe	37
PID 2556 wrote to memory of 2356	2556	chrome.exe	37
PID 2556 wrote to memory of 2356	2556	chrome.exe	37
PID 2556 wrote to memory of 2356	2556	chrome.exe	37
PID 2556 wrote to memory of 2356	2556	chrome.exe	37
PID 2556 wrote to memory of 2356	2556	chrome.exe	37
PID 2556 wrote to memory of 2356	2556	chrome.exe	37
PID 2556 wrote to memory of 2356	2556	chrome.exe	37
PID 2556 wrote to memory of 2356	2556	chrome.exe	37
PID 2556 wrote to memory of 2356	2556	chrome.exe	37
PID 2556 wrote to memory of 2356	2556	chrome.exe	37
PID 2556 wrote to memory of 2356	2556	chrome.exe	37
PID 2556 wrote to memory of 2356	2556	chrome.exe	37

C:\Users\Admin\AppData\Local\Temp\procexp.exe
"C:\Users\Admin\AppData\Local\Temp\procexp.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\procexp64.exe
  "C:\Users\Admin\AppData\Local\Temp\procexp.exe"
  2⤵
  - Executes dropped EXE
  PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6e79758,0x7fef6e79768,0x7fef6e79778
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1100,i,9917825924346332207,5075714607267578500,131072 /prefetch:2
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1100,i,9917825924346332207,5075714607267578500,131072 /prefetch:8
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1100,i,9917825924346332207,5075714607267578500,131072 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2216 --field-trial-handle=1100,i,9917825924346332207,5075714607267578500,131072 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1100,i,9917825924346332207,5075714607267578500,131072 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2472 --field-trial-handle=1100,i,9917825924346332207,5075714607267578500,131072 /prefetch:2
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1376 --field-trial-handle=1100,i,9917825924346332207,5075714607267578500,131072 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 --field-trial-handle=1100,i,9917825924346332207,5075714607267578500,131072 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3408 --field-trial-handle=1100,i,9917825924346332207,5075714607267578500,131072 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3708 --field-trial-handle=1100,i,9917825924346332207,5075714607267578500,131072 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2748 --field-trial-handle=1100,i,9917825924346332207,5075714607267578500,131072 /prefetch:1
  2⤵
  PID:2508

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2440
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a374bcc7414a95c2bfd9b497f45a7c5

SHA1
1e20409032f7b6291d5dafff364aa810755a541e

SHA256
ab285c83c44c741edfca63f28d4977f86b2ed7268698be6c981390a744f841e6

SHA512
d65d9707c1d8c8db7f476bf3d14d5252cf7b019155bb0c654c91411246d84bd46c571b0b058e997354fcc6baf3657e413e2d381952313e5dc69e4d08865d43cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5242a00c73b690d15638aad530b7a4d

SHA1
b1313b0338a603ff0739141e818f12ed5e0904ed

SHA256
d9e97bcb7ecda3d5eb542edb23d1dc2d72b10e3d74e7575387d8824c2cdc5777

SHA512
0751def0672c55ce543314369dc21dc0406aeaa08cb32f5afdb601b2bf09ba46a4945d045a40aee8e8868378107c63c448e37493196687b08b1e90b10611a921

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd8f11e0247dbd37c5d76ed0e40eb6c7

SHA1
b590f70313a6b902a0d860f5f9adbedfdcc4ce59

SHA256
bad680088ea275ba6a7b06dd46fdc5f7f3bed0fe4149f935ed8960bcde24b2ed

SHA512
37b45b82f713654adc6858c609736371401391dc0a21c8bf291054d90df66fbc5c477c15f518b10353c79b4a810779fbd69290cf050ff19b14638f2f7ff12dc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86e1b8c7eb5945a6d8a3bcf2b51a0872

SHA1
d0fa934b5d1055cc8f82a1e99dc3636ea5241888

SHA256
169cdb64c716d5ec184e3c6fe53a051d478d47b7e3461a94167de165e1685d61

SHA512
8069e2db88f6816eed0ce0c2d04ba26d431e9324e75a3e5e2da83607990a386d597f069fa4b399ce97632e3f4250e2138b296bd6aec784b10f7d048077055484

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7334d6abd3148ae7344a7576bdb45763

SHA1
03fe8be159f8bd9634407a6936cb40e6f4f8ff94

SHA256
61bb25a8459afc704ffb953c87ee00e7de636ed4aef5d850bf489f72e923e69b

SHA512
ae630b29ed744f62a250bf7603d0573f1c18c5a4b7bb85771ac2f7197298af3c22a04343f51b73a187f31e328e9efc0715cba682cf15f00c13f9a6654e07f1e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1400a86058eea2528e23eb6d78343d7f

SHA1
195abb024727b193f41a771a956b8e69148cdde0

SHA256
430e755a77663be247e1fb99763fdf8091c907c36230f34b1a119533e8e739b5

SHA512
5cba280c25f92f17d59c304269a21b664c410346069bf07e1523c2c60f4818bc75ecf5a5bdffef83d8565da5c6fbf53786c657641f07e5484a5ce2dfb6e48a22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ece21edc8721fcc0d91d79d77c743701

SHA1
6bde721b923a5ffe4a85795de1d5b623f82d3cfb

SHA256
7f65c848eaf1e27ea074dadd619ae16e7c81b3e14364dd33f89db2cc8ccdc87d

SHA512
c5174ad7ffc6cce3737c0863749e363255435d6693f9579c8643d00a19a581a598a2f2ec1be332ab48e3a3ddef9078268d7a8853f20558b4f802a3600197e0af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee916a17091083ae9e851cc206565ee3

SHA1
189e15b799701c20129c18b9a6302fed21829a4d

SHA256
7880b7a30aeddbefeac9747199d83de26dafce913a169373714b72430b647fcc

SHA512
dd76576c7c7c74cec3d32505c3a4372f6bc704bfa8b186a7e1443bbc7e7794602f91fdb2d0e4c36a2b0625dfc18359049d7e588e8f0d8e0cc31d389fdde02407

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd3176861124d37fbd8bea16ad3b8cf7

SHA1
d4ae7d7e7642bb83bbebf1c5742be85da7e4d6ca

SHA256
4b30248bf34ec3c50939cc259acb85057cb1222b8e0f1f696510d0983482e846

SHA512
383ce5242479f8c7abe2799fb1df93a041841c23263dd44186ec9d8a279de0b21af97abd4afd2cb47665cb92d43213fe11c51af9198292616f4ee6ef4e3424c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
716d956916873ca41a5144eda5b9bfa3

SHA1
718debb92fb670d6611eae6f4dd3132ff0ef261d

SHA256
e6e12ebc7c7d2bbdb92d9a1cc5d92c1bd51905d2e9ad60662cb761f3cf459119

SHA512
9079ba7464302efb5281c36a6e8e7057241720106ef80a1707f215f3134d9e018b6effa5822f02a6ddf62972b8714b1b16973ed22709d85e358f2d7211c53858

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93f1ea870622ad379cc32e000a3f83d9

SHA1
e3dd32f0768d6871d496cb29d8e6a1538068f1f9

SHA256
661d92178a3881e9178147c168bc96e375aa0dcdf841db781d4754d83c66f265

SHA512
3911ed77f6323463c6b9dd7af3fca68a482f3134e06524352ad70212db42300033e157c0278174ed362b3776f177bb9a5d7b5a552c20f68d0201c164b291d30a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85964faa7990fa96cf435c60f6b3dc45

SHA1
362a968596a9877784e5a61606b1632dab3662da

SHA256
011ed225d47f33256c75c7618e58c2434fdbe808624b6a988d0423c4482c86da

SHA512
a6a286c462355212fa137266c75b4da710ca9126be3615628eabd57bee6f644c70e6cf031e08a45b2cdc7d59c0050430dd401d6f6712fb43703426b2de8b9dde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8502ce26852f7d95d77ed8d2ff72ff00

SHA1
b492be339e5a11a8c206a4113eb4a58cc72d11ab

SHA256
f9231775adbbe4818fd9e80b35c529a940eca292268b8d6396a10870130874eb

SHA512
c91e9e436a4dc24ea254eb5e07d20dcee475dbc6d6aae1c4b6b3aa5a4578f5c2dd65340fdf043066d50f790d3e16b1261ba66e9b6c02c14da4ef5fa9198e26b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5fbcaecbabcfa6a87d9668fa9a7d79f

SHA1
3afceb350249561b280444a25ff7285ed3f5d84b

SHA256
00f408979c3136bddb52cc402cc0d7403bd15ebf70dfd1982bf0242fcb8b752d

SHA512
08ad1ddcc6482812ab56b18a48772fd9487d1987289d22f59a3e3bd1562d198c5ff823b7ba221d76e2d89f4a2392eb69e87d530a4d8a884280563673e212bb99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e74d036a2e24f31cb9e37541f219d07e

SHA1
04e977ed32bde19ca073efc05d9c714b1ad60430

SHA256
895625ffb0a3e20c2a7b842a97f6b697f97cbb93da06854b9e13e9391ebc9531

SHA512
21af3be483a5a30440fd497e9a0912879d08842e50fdfd71e10ac1977b113936b395e7a0bd1083d66f8c9db69db80bf29a3c3ea63d77c9f63c20f255e0c36416

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31760f12975bb257d5113d65560ae8ab

SHA1
1a74732d29d7da0fc355d4f3faaef95b96bfb853

SHA256
ac70beec6027ac6bccb2f9b58fad0ca5fd476f983f597e6425a039a1088b677e

SHA512
16b95b50157749005b63218be24723615ef435d023d1d971391d230282ee9985fe89124b0a349b1bed35c8e1957d3681cf52f704789bd7082be8444466f56568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6c69145857900b081c3942939b1c7b7

SHA1
1f32e356200895947f7ecd8415d9908d2ada2297

SHA256
1c9c1b8b2c343723d0663b8b4dac5c0e31755de1e7ce4958a280f684570e0ff0

SHA512
f8af18534701075c0baeec2da2b59c50d570d33b761dce82d08b03f8b811a0cd8fdea30474f55833cc05de68211f1f2386b374769ff45663090a903b90135ee0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f229723ac0ad98e33f36d2bd18a83a6

SHA1
ace310ffce2785ccf73d51fdacf43aaa253eca54

SHA256
5c27d8d45048d709d16d2b5cbc0fd75dca2f9ebde4d8de1b5ae6ca5b497aaaee

SHA512
fd571a9c9bee44ac72cb542d7a16992e57b2c2f41185bb6d372b071ef26ee515c58cfab8ef89b5eeb4aed548f325b5c578b6d03cd91a4e29965327ae0bdc6db3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eeaa9aebd07bec1ef3f5a7d992f7263c

SHA1
76801f944d1a283246ca3b1342cae14f6d4cb345

SHA256
14caf513dc173cfe5c352ba752c31102f9c934231ccefe1a36652ebb99981a4c

SHA512
0077e56c9d526aa784acdc9ed42b4e1dab842cba9938e4f9108d25f32ab422379e691643614497b09c8c8fd5c19e4ec7cd8e50125f1e5889c2448eb314cdb82c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
83c6e2155e8812e98b3ea30382e47dba

SHA1
3d387f226857613b61b4d3eef34b894dbdf7a793

SHA256
9fa3bf64db23e643ea90de133740964d3c065b1ac407085efd6449b5d0f13e15

SHA512
ae68cc6cef53bfc3afeb218b0ee4486b747d482e344dbf932251a238ec7fb334acb75cddc9c4b05717b2c5b44529a733f0d2ce720114b495ce59c81497078625

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
46fed4334ad5dfde60b43d36163a1109

SHA1
75084e859ed7f77b7e648ea6e8391ef1a0abe741

SHA256
49d68fef5b0a5276a188b636ffdaa00650f14dce7c841d73b82e4eaab868302f

SHA512
a3bcc68e11667df681674696499bed545642dadb4cffa737ff794b269caac32a6242b54deb00fac8230102755e66e3cfd3a1a68cab75d41676ddb446381c6424

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1d13a1254605f5b2c6aea52ea43c8f15

SHA1
25524a0a419643cc2bb81e9b741019fc87236fde

SHA256
8552c836be6053e12810d59f3100baf46ddcf717b75b48aaf971256376df084e

SHA512
b5030760b5c65d4ca61740c1f39639e0ebb7a1b466b56c91c4964146db21b3507027810511263d93e5e83952f73365a23465960edb9e0c2c0cd67d67a0a832be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1334.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar13F4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\procexp64.exe

Filesize
2.3MB

MD5
dfeea73e421c76deb18d5ca0800dccf2

SHA1
0497eba0b24d0f4500faad5ae96dbebab9c64608

SHA256
8158dc0569972c10056f507cf9e72f4946600ce163c4c659a610480585cd4935

SHA512
23ddc9f28314d4cf3b05d88b9e0b6fd69f9804f5e9c3f7703258ff2c5786721061321379fde53e21048d3c7cce1ff71e2872d48dcc580d059397fa0692335630

Download Submit