hxxp://melbet[.]com

max time kernel
75s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://melbet.com

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{332C49D1-F9EB-11EF-B66C-7E31667997D6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2084	ehshell.exe
2216	chrome.exe
2216	chrome.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	ehshell.exe
Token: 33	2000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2000	AUDIODG.EXE
Token: 33	2000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2000	AUDIODG.EXE
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe
Token: SeShutdownPrivilege	2216	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2484	iexplore.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe
2216	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2484	iexplore.exe
2484	iexplore.exe
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2484	2052	explorer.exe	30
PID 2052 wrote to memory of 2484	2052	explorer.exe	30
PID 2052 wrote to memory of 2484	2052	explorer.exe	30
PID 2484 wrote to memory of 2888	2484	iexplore.exe	31
PID 2484 wrote to memory of 2888	2484	iexplore.exe	31
PID 2484 wrote to memory of 2888	2484	iexplore.exe	31
PID 2484 wrote to memory of 2888	2484	iexplore.exe	31
PID 2216 wrote to memory of 2536	2216	chrome.exe	37
PID 2216 wrote to memory of 2536	2216	chrome.exe	37
PID 2216 wrote to memory of 2536	2216	chrome.exe	37
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1536	2216	chrome.exe	39
PID 2216 wrote to memory of 1604	2216	chrome.exe	40
PID 2216 wrote to memory of 1604	2216	chrome.exe	40
PID 2216 wrote to memory of 1604	2216	chrome.exe	40
PID 2216 wrote to memory of 2468	2216	chrome.exe	41
PID 2216 wrote to memory of 2468	2216	chrome.exe	41
PID 2216 wrote to memory of 2468	2216	chrome.exe	41
PID 2216 wrote to memory of 2468	2216	chrome.exe	41
PID 2216 wrote to memory of 2468	2216	chrome.exe	41
PID 2216 wrote to memory of 2468	2216	chrome.exe	41
PID 2216 wrote to memory of 2468	2216	chrome.exe	41
PID 2216 wrote to memory of 2468	2216	chrome.exe	41
PID 2216 wrote to memory of 2468	2216	chrome.exe	41
PID 2216 wrote to memory of 2468	2216	chrome.exe	41
PID 2216 wrote to memory of 2468	2216	chrome.exe	41
PID 2216 wrote to memory of 2468	2216	chrome.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\explorer.exe
explorer http://melbet.com
1⤵
PID:324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://melbet.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2888

C:\Windows\eHome\ehshell.exe
"C:\Windows\eHome\ehshell.exe" /prefetch:1003 "C:\Users\Admin\Desktop\DismountLock.DVR"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5c0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Program Files\Windows Mail\wab.exe
"C:\Program Files\Windows Mail\wab.exe" /contact "C:\Users\Admin\Desktop\MoveEdit.contact"
1⤵
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7c69758,0x7fef7c69768,0x7fef7c69778
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1244,i,934882951564624226,378225448964803581,131072 /prefetch:2
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1244,i,934882951564624226,378225448964803581,131072 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 --field-trial-handle=1244,i,934882951564624226,378225448964803581,131072 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2152 --field-trial-handle=1244,i,934882951564624226,378225448964803581,131072 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2184 --field-trial-handle=1244,i,934882951564624226,378225448964803581,131072 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1168 --field-trial-handle=1244,i,934882951564624226,378225448964803581,131072 /prefetch:2
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1416 --field-trial-handle=1244,i,934882951564624226,378225448964803581,131072 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3480 --field-trial-handle=1244,i,934882951564624226,378225448964803581,131072 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3600 --field-trial-handle=1244,i,934882951564624226,378225448964803581,131072 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 --field-trial-handle=1244,i,934882951564624226,378225448964803581,131072 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3768 --field-trial-handle=1244,i,934882951564624226,378225448964803581,131072 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=932 --field-trial-handle=1244,i,934882951564624226,378225448964803581,131072 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=576 --field-trial-handle=1244,i,934882951564624226,378225448964803581,131072 /prefetch:8
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4100 --field-trial-handle=1244,i,934882951564624226,378225448964803581,131072 /prefetch:8
  2⤵
  PID:2084

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e58c09a5fca29512257d51a9c5cdeab

SHA1
934ea3faff177aaaf74e2c98976a77897a13673b

SHA256
725fb91d080b0d0e9c60178d131861cf3921031c63621113b87ac485d531e638

SHA512
ef90abf524c406a41fca3f343968d8a84577a7e5b565db233cd140c2969f22eae2bb2bbd6aadf5cbc4f947e3fdd7e651192754e77a1bfbf9d9e31f59f5205c85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
065763b8f891b05abd6df6f5974a406b

SHA1
bb14ce078fd21f38d96d9a7032b1702b3377c28f

SHA256
2101156bd015b9170b0bfeac89538a11b077ea537242d28bb02534d1b87c216d

SHA512
3840d8ce5b46f5e230ee8db53bec2322a79fff09a3824a3270a452af2109f908812da5f408c6b78d5877361ed751d0db35cea3abcb9f6b6b6ecb50aff8f9c7dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
a4f9ed37efd8faf4d77ec0b4c950b020

SHA1
661b2ccd791f4e2c8f8e725fb999414eed984d87

SHA256
71510e98ed900f623ff2c9e14bd74d2081427264939885a464b4d5feb677d7c6

SHA512
6adaebe3e378bbb8443a332309514ff0cc115ce144db47e27ceb3f4ae4e0bf1d948513a5dcda34dc4341bd145095164d494211549531e1c858694ce61085664f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
37970794ce2137057ea57f696b24a47d

SHA1
64286baaf6f9cef3cbbc07a8290c0d75ba48f36f

SHA256
e69654f95061da34ffc59b8e543331b7fc5b6581fbcc7c9a17d8457fa171f1c7

SHA512
c34ec5e1d2b1d409f278bae2e348d062a01665c9100ab7da49bcbd5f9dc260aeec5373fd816aaf3ba1b71ea302d00f799104fb8c47258ce66eed4fcc3e65487f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
840fb393b625bd58cf1f6d4f542b0007

SHA1
2bbdc8c6ecd9d094a1916ba874721dc95afbbf46

SHA256
753ef81dd2613a712ba17e24894418afec7d73547f75a6edcc7da9eb33db4ab4

SHA512
19ae1cf64bb80a959cd958f6ffe1d0866296889d8e1de0c028a31967f7b2ba3a8f752aaee1e19fd2b95bce679c32a59c4de6f4a30fa0b9fe72080efbc9b1044f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
50af4c6587b3e48ee675d2094d2e90c2

SHA1
ff6748eff676f1010192d20ef383c4096dde4d9e

SHA256
93f86d77d291c4f60637d060300a444095622a901b8e1643c1a2d18b12c2a90a

SHA512
490978dab50862d70a8e91188bf0cff35b65b03052ebbe4a22f997111f65938170264bdb1b1ce73b711b471e35df36823d9e0a5a7e9eb7b92c26f63a1c7255fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
45440af86ebce1d1addc538156bdec53

SHA1
ea24532e5f35f4a22e15e04a91ec92dc9fb28834

SHA256
bc432f7813790ee94e55a852a9f0e10bd212297a41b09441c2a53414aad92156

SHA512
3023b8aed78c39b3c0cf5630733ca63dc4fbf612800f76bb7f8202d532f45b7934cd8aa00bd0dd921bb03d0ad3d3e41b30437dabbb172c696d36e67da307f4fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d5b500075cfd878f8cf96fe685fda0c1

SHA1
fc463bad275aff80017a1db1b3dea94ac7618ff5

SHA256
5107d31f85b979c7c02486feba015fcdce46951243e4cd78919ee634ceb49f73

SHA512
f1cb5a9dbbe9017c2ae3163c0dcba1cfe0905f382ddf956bdd69e836205611386bd493141c9af6e506f9795f361c9f476ee842db15dcbc63733f9fb897327071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
1f6865192d9a55dfe33d748cf6c332a8

SHA1
c0e39e5a6db571607b30c17e8b5bb946c394485e

SHA256
9de112a92e6d74cde583c7a4ffeebbfe5a303e5e1cf53ca31739a9694be7fd60

SHA512
30b807e65068ab47ca0cb9ca5b542c26e606203572d6182d3ee4cc6ad16e53d9c3832b06357a68f654b2b5b85e7ce254fd477cfccb7b236e43c2bce459db4f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6401.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar67CF.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
memory/2084-36-0x000000001DCD0000-0x000000001E2D8000-memory.dmp

Filesize
6.0MB

Download
memory/2084-42-0x000000001B000000-0x000000001B00A000-memory.dmp

Filesize
40KB

Download
memory/2084-43-0x000000001B000000-0x000000001B00A000-memory.dmp

Filesize
40KB

Download
memory/2084-41-0x000000001EE30000-0x000000001EE67000-memory.dmp

Filesize
220KB

Download
memory/2084-39-0x000000001ED70000-0x000000001EE28000-memory.dmp

Filesize
736KB

Download
memory/2084-38-0x000000001D3E0000-0x000000001D47E000-memory.dmp

Filesize
632KB

Download
memory/2084-37-0x000000001E2E0000-0x000000001E464000-memory.dmp

Filesize
1.5MB

Download