8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

Analysis

max time kernel
54s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.23.exe
Size

800KB
MD5

02c70d9d6696950c198db93b7f6a835e
SHA1

30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512

431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP

12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2308	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F1789371-B676-11EF-9452-E2BC28E7E786} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2852	chrome.exe
2852	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2516	WMIC.exe
Token: SeSecurityPrivilege	2516	WMIC.exe
Token: SeTakeOwnershipPrivilege	2516	WMIC.exe
Token: SeLoadDriverPrivilege	2516	WMIC.exe
Token: SeSystemProfilePrivilege	2516	WMIC.exe
Token: SeSystemtimePrivilege	2516	WMIC.exe
Token: SeProfSingleProcessPrivilege	2516	WMIC.exe
Token: SeIncBasePriorityPrivilege	2516	WMIC.exe
Token: SeCreatePagefilePrivilege	2516	WMIC.exe
Token: SeBackupPrivilege	2516	WMIC.exe
Token: SeRestorePrivilege	2516	WMIC.exe
Token: SeShutdownPrivilege	2516	WMIC.exe
Token: SeDebugPrivilege	2516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2516	WMIC.exe
Token: SeRemoteShutdownPrivilege	2516	WMIC.exe
Token: SeUndockPrivilege	2516	WMIC.exe
Token: SeManageVolumePrivilege	2516	WMIC.exe
Token: 33	2516	WMIC.exe
Token: 34	2516	WMIC.exe
Token: 35	2516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2516	WMIC.exe
Token: SeSecurityPrivilege	2516	WMIC.exe
Token: SeTakeOwnershipPrivilege	2516	WMIC.exe
Token: SeLoadDriverPrivilege	2516	WMIC.exe
Token: SeSystemProfilePrivilege	2516	WMIC.exe
Token: SeSystemtimePrivilege	2516	WMIC.exe
Token: SeProfSingleProcessPrivilege	2516	WMIC.exe
Token: SeIncBasePriorityPrivilege	2516	WMIC.exe
Token: SeCreatePagefilePrivilege	2516	WMIC.exe
Token: SeBackupPrivilege	2516	WMIC.exe
Token: SeRestorePrivilege	2516	WMIC.exe
Token: SeShutdownPrivilege	2516	WMIC.exe
Token: SeDebugPrivilege	2516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2516	WMIC.exe
Token: SeRemoteShutdownPrivilege	2516	WMIC.exe
Token: SeUndockPrivilege	2516	WMIC.exe
Token: SeManageVolumePrivilege	2516	WMIC.exe
Token: 33	2516	WMIC.exe
Token: 34	2516	WMIC.exe
Token: 35	2516	WMIC.exe
Token: SeDebugPrivilege	2356	BootstrapperV1.23.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
916	iexplore.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
916	iexplore.exe
916	iexplore.exe
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2316	2356	BootstrapperV1.23.exe	31
PID 2356 wrote to memory of 2316	2356	BootstrapperV1.23.exe	31
PID 2356 wrote to memory of 2316	2356	BootstrapperV1.23.exe	31
PID 2316 wrote to memory of 2308	2316	cmd.exe	33
PID 2316 wrote to memory of 2308	2316	cmd.exe	33
PID 2316 wrote to memory of 2308	2316	cmd.exe	33
PID 2356 wrote to memory of 1096	2356	BootstrapperV1.23.exe	34
PID 2356 wrote to memory of 1096	2356	BootstrapperV1.23.exe	34
PID 2356 wrote to memory of 1096	2356	BootstrapperV1.23.exe	34
PID 1096 wrote to memory of 2516	1096	cmd.exe	36
PID 1096 wrote to memory of 2516	1096	cmd.exe	36
PID 1096 wrote to memory of 2516	1096	cmd.exe	36
PID 2356 wrote to memory of 2820	2356	BootstrapperV1.23.exe	39
PID 2356 wrote to memory of 2820	2356	BootstrapperV1.23.exe	39
PID 2356 wrote to memory of 2820	2356	BootstrapperV1.23.exe	39
PID 2852 wrote to memory of 2724	2852	chrome.exe	41
PID 2852 wrote to memory of 2724	2852	chrome.exe	41
PID 2852 wrote to memory of 2724	2852	chrome.exe	41
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 836	2852	chrome.exe	42
PID 2852 wrote to memory of 1484	2852	chrome.exe	43
PID 2852 wrote to memory of 1484	2852	chrome.exe	43
PID 2852 wrote to memory of 1484	2852	chrome.exe	43
PID 2852 wrote to memory of 2472	2852	chrome.exe	44
PID 2852 wrote to memory of 2472	2852	chrome.exe	44
PID 2852 wrote to memory of 2472	2852	chrome.exe	44
PID 2852 wrote to memory of 2472	2852	chrome.exe	44

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\system32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2308
- C:\Windows\system32\cmd.exe
  "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2356 -s 1128
  2⤵
  PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6909758,0x7fef6909768,0x7fef6909778
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1212 --field-trial-handle=1508,i,14009215341283302088,5603038644196493354,131072 /prefetch:2
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1508,i,14009215341283302088,5603038644196493354,131072 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1520 --field-trial-handle=1508,i,14009215341283302088,5603038644196493354,131072 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2184 --field-trial-handle=1508,i,14009215341283302088,5603038644196493354,131072 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2196 --field-trial-handle=1508,i,14009215341283302088,5603038644196493354,131072 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2416 --field-trial-handle=1508,i,14009215341283302088,5603038644196493354,131072 /prefetch:2
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3256 --field-trial-handle=1508,i,14009215341283302088,5603038644196493354,131072 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2492
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fbe7688,0x13fbe7698,0x13fbe76a8
    3⤵
    PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3640 --field-trial-handle=1508,i,14009215341283302088,5603038644196493354,131072 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2632 --field-trial-handle=1508,i,14009215341283302088,5603038644196493354,131072 /prefetch:8
  2⤵
  PID:1948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1236

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:916
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:916 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce5e444606208861f5e8ebcdb854b41f

SHA1
cf6d787872916fda9e03353b23561df9b8c7d71c

SHA256
28fbbdaad6a16fa906f213cd0e7bc7153ffe4f2a639abf94fe58d320ea24ebe5

SHA512
2c417d8a59269f0975a337c2ca000cbce6f611d4f25d2f1a375f2a6286525901f32e5445389cfc4086ecc76ef00fa636df9adca51437ce325af4869587377f06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
033bfee9c3baa5c6451b5d49636e10ae

SHA1
c9b59ff48ed16ac8510b3d94829d97706201747d

SHA256
2aca04f9631eaf8da010ce18e10d642f11ef7f85c23395578c04ab08c356be20

SHA512
feaaef5a9a02550589d0e66dffaa5ed2e36db5c69384c5de9c21d8a8429a4f76e32ac0774975bae165ac9bd9b5489c11a886b02eecad13d6af251c8b9b1fa7b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0386bc198799ccdf52c90e643f4b791

SHA1
c92d9a05a7c04ff4956a0212ec7c82cf8d09692e

SHA256
01b703949f0251f1f997398a70f17370ad5fb28c38169eb6e3249f25d5179216

SHA512
4218a1a95c850043f41b2da66c9cefc0c22c5d72a68d1a6947bcf0c040638953408572aa35ce612303d622d6286508ec3d7f18164a82b40348ef380f0e136813

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6706f4ba97b60671a7849608c50730e4

SHA1
5fa951ee2ef4c5569db199a3af21ac6e764a219b

SHA256
5fc34e5f328a638bd26d33944b93023e812adcc9f9061205f34bba1fb0246314

SHA512
457362038cad159ed72c8e64bf1d23df736fd75d1664a9c8387590d20c82ed3ed7ff806eefde39f6a2d851b39096ec5e42406743b10ccca8203a07b8c98f9468

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2d3e26be6c73652ea99cfd34d94be0c

SHA1
b40950edec5ff47211bf05f3437f0b82d18a8303

SHA256
bf96f01746c291ff1543fe7f164fd50ad078a149736520844914a182a0f9b683

SHA512
1ca3a005b434665106bb3ca49b7f7a8741b3915565ef8400011865c8b881b0d7648f0058d0037f585c7021fbb84b3380422c590067cac880af645fc423b0f381

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56dab47d817e3e2030079c0d626d9233

SHA1
1779b5fdd903199b387d5b9ffcbd123f4c2d3607

SHA256
8d602bf3caba461a34245940e1807b39ab0ea164cce8066c705ace4a5fd0927f

SHA512
e0263bbe2429c4da9797a8b47860cf32908dd40f9ad0edfbe014b1fd97bb50cddcc03237e1d0bd0da60edbf09510b4b486e0d239f0b7f82e829a5752d823b826

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e4fcc7a7eb78a22fc00e05a19be3130

SHA1
f72f8006acefb68fa81ac72b041609ec9cdfcce8

SHA256
c12f11cb9e89591879f6198f82b25a72dc97a2d98bc96b02ae649de6d814bafb

SHA512
ccb6dc1ba8b9dffed52c8cce265cf029f3f93790640951b1e72d0b1f02f310101d579736cf1f8ecd81d2f0fda62046855d33ad176023fe8f1fc223adb31b37c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c4429431547910053bc51d4e7b08eb3

SHA1
8b20dab9df083565ae346eb0af1565c0f47dcc8b

SHA256
4b4c5be14fe0ac6275ce2f5346c0e1efbb682a20bca72064cec443ca3a8f0e77

SHA512
eb3df6d109591d88549673c673c8fb1f4de781de4f0588cfbec1a351dc3ec09a4537e58d973c87273ce5f79355c84ceb43eb3be2e412fc9ffe7d7a460639dfe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df35d23f67c597911fb54c3f818288c4

SHA1
422f84c936644b550e11b293a13591edabfd3086

SHA256
aedb09f490bc92e57f15d4be870fad86fbb7b117ca40735f6c5764d647670c53

SHA512
d3e9955c3c31181807bc15630544a2f4c4db0696d21183be951749e36caa8bf566aa15a52bdf0cfd156d2ab26db5a47124caebee0446e19b3a49e983a851ac15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30ec9354f9b061d206844c3d060bdd80

SHA1
fc5446de8b0b2abbdb25f6e1695fb08facdaaee5

SHA256
7a43139c1f9ebb06da8d7294985c700a964393ac08ad2a4d7de4700a3a1ac66b

SHA512
8200df68a35fa7fdf9de2d436cbbb98a956aa4e5cab83056874f635b211011f73723fbb19da327d05b1eddab6f6d80d8e1202d63507346f3d86f036f928472f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3de7cdf33658501dc466b3cf5ca324e

SHA1
fa5040c2113a95b6bb5158edfefd39428dfcff74

SHA256
8d0bc68c6d64012650a5968ede21e46f32d79053a0a2592ec721e5fec58c6b80

SHA512
9d19eb8701ab0f9b6eebd69c71d1364761d15dc163c0fb3e08d702d1c9fc1110500d563e7d1dc24f5d261f6ca695f6fefc8b07baac6adc94416a6764f22ab29d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa339ef53ae2ee3a3e46ea6b10d067d4

SHA1
58bc22e085aa11f31999f6e5e95d77faea57859d

SHA256
e23d6d7c17b90fb4d806f01d0eefded80d3443b32a424af80f8f069b8dc3f220

SHA512
ca049bcc2b9a0d8043384e3bc8528041182cbf8748a4bacd376ad9c69c0698da35cbe85868d1660ef87a247813a6a67c9879b08ccf72c4cd51a9047844d91bd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6d9d6d3aa6da10925b8db2f63755d83

SHA1
49aca66d5197b96219a3535c97aacf3a2e108239

SHA256
1093434d524aa15c6fb4eb79be2a0f3ff227fac189f8f5acb7104be54e89eb20

SHA512
9f90cb56bb03c9b9f6e4a6b6398ede8052d5aca3efe474dffbe8de941cebf8edd6d704708aa4c767bebcd7bee614d325ab0706f02c12d315e4285389bc68a98c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed70856b19c86a811ab9645f51f86413

SHA1
d48720d97276ca1abd5d45575a3f8e417bbcbc7f

SHA256
ba34585ea9d36fe77590da0cad079706b757a7734610018ae639ebf3a2ae58b3

SHA512
7fe7a59272f7c8eb74711b58bf74dc8a3fa754cfa8ba4f64d35d02d0fb4a0f8f10ed2535b3a40ffe65c0c9244001f8253bfe53a54978cc39e7217b76d9dfb2a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9afae6f7b39b46cce5618ba13c2b154a

SHA1
7ea4887970b680301beea95202326237cffe6d43

SHA256
641b0ca572d0c789bcb2275af4e99a17e001ee05099acb1e2af671d0016f3be0

SHA512
802b33e77518553c26569a8c230b46077e049bd2d64cd7411ecdfee18b3cfa7b307bb219681615d70e6013cd5af357c30e7972e42eb8d806536cd98ae867bfd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4e1d4198abd309408243fd6ae8357b8

SHA1
ca5d359745499a99f9860502516300538b57401f

SHA256
ffc602bd2416a287e633cead9ea50b89d46600a2f5c1395b818c52447c2b1df7

SHA512
55f2337457097b501c94c31fe7bea9d84e620feda2b41fbbf0da056450a670fef2e5b5012c9666896d02e94706bf2ca05641c2d26575f08911dc6360ff8b9e1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6e3aaf29c784979a47694ef09c7fb05

SHA1
93fd62ceaa5c6f20d6b377eb7f1f6680e8dbb282

SHA256
097f8f6775fe85f875992db8f20d49997e216360b2b8fc288fb18f8648ea1413

SHA512
80125d6b2755311af8b998841cf67a28e2db644f353739ecd863eb1b6e189c979dd21b55a7b714c81b68be0c541801bb32288ef8f50b3daa09589f8607328024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdf3b732f14f8dd8d027e218c28fc92b

SHA1
207bd9408dee776d215199387fda9932f39e9f28

SHA256
8094325fbadf21e5d69841a99681efad93404832f46979d2da58cdfed6dcdbe8

SHA512
4194533741103cb21cae574598eac0864a1f58dacbc6ff5afc04e94214f59a4342dd57c7dff0b0aca2239fdfc5169cfa011145f8b58b4a435bdc1dfc3c7436f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9993b0686452fff7e998786be88a82b6

SHA1
1e822206b8b2b789550b086755b53f4609f4124d

SHA256
ff7bc84acd4a10677c20796c05d5284c43b8a41e397f91c55a8aed11748ead7a

SHA512
a8736e7820b61fdaac40e0d52d69c22b8c315036dc93f14d7407789fd90e9502653c781d065e1c6e5bec4cc54f2d9b8e7cc00b97740edc63e481cfa8c22889b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
c0ff8bb6c4510686576dd6481bdcae92

SHA1
591c2b1bbb0fadcce940a7db6f3113b750bcef19

SHA256
e176331e61479c0d4507624d0849e2543e4bb0abfa7b04d82e8de3b1669bab0e

SHA512
293c08ce1b8bca620f7b1194c3a462e14ff80736857a571edea2b106d842ee6d615bb31d1bc27b16aae14de510adf3ea290e428e891b453117f4e974705ad94a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
88c6d0f268a31885ac6c076793074509

SHA1
75161c2a2a0736cdbf84fa5cc3add41079580f22

SHA256
7d1f9472519ad908fa66befdf158a4340d14dd9b1bbc6c312bd69f12d922b03d

SHA512
1fda312639bb98e42edbc8e6dcc770dd49340fa8577a5d88bdafb37869e0524c4347a767b1dfcb3e254f3743d8222c0924bc36c92f51a87e7ab8d84650fa22f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
12138bfe49c39c386fbee90e883f79b8

SHA1
721465088880a4ece904d07c8cfabfa129b6fa9b

SHA256
a69e591d2f9f248c24bcdbb2684d82673d3ad9f9206984e3ae096acfe2a23f2d

SHA512
8a87a003840308126be4d16e15319ed21d6568405591ca40fa2522e60e15cf01f067e45b9e32c9c048e1844226cdc061c578d057827005452b7e328498d476f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a605d6af560dbec31463993d67089959

SHA1
d7c58a962d1034d7234b8d386e87472231a98f6b

SHA256
2b0718a2f2cb8ace3780a586b24d126efc081b78697cd9b9bb1e2934f53e280d

SHA512
0829fb65dc60e5696d4838f4b17db09abade5ea595debd0c09e55800001891974a241404985525bf955eeae668224cd8e24009d763defcc640747bcacaaa65a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
330KB

MD5
efff3d9974948c74443d9cacf4b0f5e9

SHA1
73f26fc17ff3e4c21e4e2a98f05f23c8072b1ef9

SHA256
e7443935d96175b142263a9336064902fca92c32b01e037b62d04efc148cbe51

SHA512
bf7aff966dee0e296d01db3995779b39aa3c32fe48adbc487e35bee13566104accc10209f911edcd6371391d4bffa9709f15f978d857221fddae32249b1542f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4FB9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar543E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2356-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/2356-4-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2356-3-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/2356-2-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2356-1-0x0000000000C70000-0x0000000000D3E000-memory.dmp

Filesize
824KB

Download