gozi | 3a47ced8750d0151513ce5e28874274d5bcf7b2d81ca5872f8ea5cbd510681f8

Analysis

max time kernel
106s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

I5w0SN.html
Size

504B
MD5

46bacc095e419a61d8594200d6fa96e5
SHA1

2128d5085054537e0a1d449e61ce7839ba10bfb8
SHA256

3a47ced8750d0151513ce5e28874274d5bcf7b2d81ca5872f8ea5cbd510681f8
SHA512

2e3d94f03577895f423d6afe0718dc9e6b1a17617fcc02fd1299975f8d3ae25288fb9920e8ed8e7f2cc5468795c019454d743558c1819d8c1d2ed2678351c3e5

Score

10^/10

gozi banker discovery isfb trojan

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 1 IoCs

pid	Process
4468	pwdfrmy0mr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133719404045056870"	chrome.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3248	chrome.exe
3248	chrome.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe
4468	pwdfrmy0mr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe
Token: SeShutdownPrivilege	3248	chrome.exe
Token: SeCreatePagefilePrivilege	3248	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3668	7zG.exe
4204	notepad.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4468	pwdfrmy0mr.exe
4204	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 1968	3248	chrome.exe	83
PID 3248 wrote to memory of 1968	3248	chrome.exe	83
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 436	3248	chrome.exe	84
PID 3248 wrote to memory of 1400	3248	chrome.exe	85
PID 3248 wrote to memory of 1400	3248	chrome.exe	85
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86
PID 3248 wrote to memory of 976	3248	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\I5w0SN.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcd839cc40,0x7ffcd839cc4c,0x7ffcd839cc58
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,5707758692275599975,11680524570146386413,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,5707758692275599975,11680524570146386413,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,5707758692275599975,11680524570146386413,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,5707758692275599975,11680524570146386413,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,5707758692275599975,11680524570146386413,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4576,i,5707758692275599975,11680524570146386413,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4876,i,5707758692275599975,11680524570146386413,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3656,i,5707758692275599975,11680524570146386413,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3384,i,5707758692275599975,11680524570146386413,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4620,i,5707758692275599975,11680524570146386413,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5092,i,5707758692275599975,11680524570146386413,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:1304

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3720

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\pwdfrmy0mr\" -ad -an -ai#7zMap6785:82:7zEvent26541
1⤵
- Suspicious use of FindShellTrayWindow
PID:3668

C:\Users\Admin\Downloads\pwdfrmy0mr\pwdfrmy0mr.exe
"C:\Users\Admin\Downloads\pwdfrmy0mr\pwdfrmy0mr.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:3884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:3556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:3944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:640

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
72f24b3f7a57f2006c32e4856a6cff7e

SHA1
26a4012ce7b85c2a0438dd5d21f77377edcbf818

SHA256
ec34301ac3bf602462c1fbe51e799e7397413ff10d532452bb596f52c0175abe

SHA512
36d0521e3e03042d1c067f557dd651e0884e2d27b8c305e7803852e2263840407f3253b4b5e063985cb9a9462152ff04ed9bb88e899ede838bee5616d09d51da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
c97ba8788ecfb4a935175f29930c3e22

SHA1
51c41313ff96dbc05329864632291f0e84e25cd3

SHA256
993f058a5b5dbff42bdb08b8980fdbd95fd8c77921a49cb689c72169101529e4

SHA512
1739bf164e5f123acc3803efc63104b1a08df3a545dd9a987a3e35b841483fbfa401bde3255df38842289f4219324ad8b4d2bdbf698ad23f5e7fce4f6f4dc024

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a6d4441dfff2b1cb7988de45c560947b

SHA1
9e10db38d817f88b62fb3bfd78637b1f55d19f11

SHA256
ccb5b0eaa9e988c8c90257ba05d304c4e7ab4e0e14b031e156d4e8b206c5b0b8

SHA512
99858177004c38d8d68b902d68b487918b96311d49b617b984a0df61e7fc992800d127b1ac526faf82313a36b037e673b85d153984b5fa9db6011c0d0d7973b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
a806b58918b856c2c36f8d395141e4d7

SHA1
a8f1402aabf83c2fdefd3db34ea095bf7fed2157

SHA256
3cb570eeb3d36c46e5847ff9a00788c5a4d9d8a068148b63156623946b49bfdc

SHA512
ed63a63d7b57a3cd85e58e883350b7859f4202b016eaa535e726a9a84fc76e7112fb734550c0d5e8cb8af300e35afaeadf8224a94c65243ed49b48d9924914ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8ec998ae7c69ddadefc037c4d27c637f

SHA1
a6a19bcdaaec8a96af15292de5f92587c511121e

SHA256
c88d8af34cfe2c4a2edad5517294823d54bdc31d4f055a44c2a649439fb221be

SHA512
77ac937d9bdb82a08dc4e8fc7dbb7523cc47c930cd2903a1f8be523e4e657d11dda6e7b4c4eeac0b83d89fa90173b5df795647f29a24d932d8afaaa0a8c02a6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6c67aaadb19d7d900edc0b794c700876

SHA1
2665bc87c47da2e4307b1b5ce999aed6503d7d38

SHA256
120c462de7d236d91f10786239087201051f04bed5141bf0fd6709eab05d4e6b

SHA512
ec970cf8c7f9a25f32af4fe501acd716684d936cd23732b35490a8136ec0b7bf82d150471c064b1916c922c2492fd2ca305626e45907ff7d06e90ce0e2fcd3de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ad1cd5e619ec7bf3b6882a1734431684

SHA1
0fd3307a28dc4a56466279c6397dcb0642ff55bf

SHA256
2c56818ab13ed04f7991edda1142877d1d7e174edcc58d4b5b8c5ee5bb50abad

SHA512
6791ceeed602d0ab06fb070a91f66eabe119aad7d458b3c3384f2c7b12339a7b9991ed6c0d12045bb3035eda9f73693c5e98455693e894afe107f0e72177159d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ebd15c9ad005f2d96872a17afa84dd09

SHA1
7b32d9ef4e90f157b404ba15073f19ace57574df

SHA256
88d996e808e9c768148629ddd560d8d40442b2390527b610b533fb28869df1d6

SHA512
3a7e90ec90b76368aa84927b201bfeb0deacb13197963f43765565e2dbeb04b7309dd305ee6bba99a85b0af98c0211bb3e13b7bc4df230822f157d0fe4b41de2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d0a8bd657662e46fdd53b7682bbff9fd

SHA1
f036160828dcb9839b58ff9a3882cafda233751e

SHA256
9313bf03790ec0c64214a1cf44c949facbbf6bfce7239054d45efb5ff3741158

SHA512
de5bf2e9ce6ed02be2b668bd3bce56079a29a875ae648499a70248595005823830bd0a07bd1bf600ddae5423bfbad0bdec8e1584e9bd343e685a053c73aa7b24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7981b32145ffc58f81dcb893ff91b941

SHA1
0c006affe2bb03985878996aa578f9c719e54b69

SHA256
885a55f06ec73518dd0ea655f644218c2a482603923f96cb42d19dd46c85843b

SHA512
63b326b30945641cc5d931b9068a8d1d32c7ea2b99ca90921e426f7f93bdbf6d88371365e4f8190a0b469b1b731da42739bd4aad56a5c079b9a37a048aff8934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f1457037192c4648b4ce1ec6159115a9

SHA1
c9e5f991712d20593a8c2ce60edfc26985552378

SHA256
3391e8d8a964d4e7915f7e2b3a00c48510d22cccba421adb8d8a8304aed08553

SHA512
9addc68e85de403cca5a7caa1fe24a62fe93e0eaad15b1031ccef2a8cf148f5c182bcfdd6d1e5375dd174f1ad3cb4bdfb484b4a8003bf58f1f9d587d28b0cdd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
7665ca514a36a1667907df47639234ed

SHA1
ab0260b5a1044fa71468e2425157300f75c07531

SHA256
5ed640d882d4a61681b6d4599d2d7e44c6ee3dfb95b10fbc5d2e3aba568b165e

SHA512
a64ebd2a0d0b7cf5f345cacfae16dccb50c52a34e1b87aa62f5da14bc77a6282c3edd526b59ac0674857c0308cf5346d1ac4d755a7730644a7aabc8e86b71116

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
ffb63319e5c54134577816554a1edfee

SHA1
8cd3ed763bcf551fb870ad861e51d9fd8986b0b2

SHA256
eec02269d0823997393e2329302bc59ca264176f5eaaab358c1e0d15bb33f461

SHA512
f35a2e818ec4fd1bd1bcc36204261ecf0aa3960d2cddbb48236744518885046c7857480bcf9e9496524bf1c0bb678f4f59df39d5692f5dca93652744ffe7d84d

Download Submit
C:\Users\Admin\Downloads\pwdfrmy0mr.rar

Filesize
13.1MB

MD5
6b5346b545f708892e6bf13842a79aeb

SHA1
41ac1ef7117acd3f46d60974b17418271f5b07cd

SHA256
403ab0b291de38efbb06d4432d94ec7c9caa356a3559d354a1c115a45abe07be

SHA512
5215fb1a886034ffcb5a01f03b59a9ff5940e331db2ebe923cb5a9ba05f0ad8895037b283555b43e59b03941597b659753ba25f33da6e28d6ed3c4389a125d74

Download Submit
C:\Users\Admin\Downloads\pwdfrmy0mr\pwdfrmy0mr.exe

Filesize
14.8MB

MD5
b7eb4e534c7d36dee723a23f7e59c330

SHA1
6566cdb7eb847ca3a8c4d9a5f2731bca60fcf86b

SHA256
eaf59a5f7ee285a410f2cfbbf75befa377e195eee7a931b5da28ed01689598ab

SHA512
016dabb5ed9597d83868f6e34f419a041d534bccca64d4a157c457c892dc87d28499bc97449fdda3cd256f9afee071e0cd3e2529ab89541a91c4aeb90f9eb1e9

Download Submit
memory/4468-146-0x00007FF703330000-0x00007FF704CAC000-memory.dmp

Filesize
25.5MB

Download
memory/4468-145-0x00007FFCE7140000-0x00007FFCE7142000-memory.dmp

Filesize
8KB

Download
memory/4468-163-0x00007FF703330000-0x00007FF704CAC000-memory.dmp

Filesize
25.5MB

Download
memory/4468-144-0x00007FFCE7130000-0x00007FFCE7132000-memory.dmp

Filesize
8KB

Download