55b724b10f4f48c2373d105e89de76bb546d9b5cb931656a5a41ed7a967971fb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2022, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f7255bdbbdf380d4733bb33bc1e78293542af39.ps1
Size

1KB
MD5

de291b02c240f0a88e8f9f8dae3c6fe1
SHA1

6f7255bdbbdf380d4733bb33bc1e78293542af39
SHA256

55b724b10f4f48c2373d105e89de76bb546d9b5cb931656a5a41ed7a967971fb
SHA512

35d8093cd31706237d62c0cbd920f61afd9b353e94e014eb690748a2cb450a614abb75e29c53894aeebb6e71e0276e3a5015fb4e19290f2014c09ad609332728

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	4372	powershell.exe
16	4372	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1616	ChromeRecovery.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3884_1174936809\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3884_1174936809\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3884_1174936809\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3884_1174936809\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3884_1174936809\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3884_1174936809\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3884_1174936809\ChromeRecoveryCRX.crx	elevation_service.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4372	powershell.exe
4372	powershell.exe
4372	powershell.exe
5064	chrome.exe
5064	chrome.exe
3688	chrome.exe
3688	chrome.exe
1528	chrome.exe
1528	chrome.exe
4424	chrome.exe
4424	chrome.exe
2880	chrome.exe
2880	chrome.exe
3812	chrome.exe
3812	chrome.exe
1248	chrome.exe
1248	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4372	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4372	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4372	powershell.exe
4372	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 2012	4372	powershell.exe	85
PID 4372 wrote to memory of 2012	4372	powershell.exe	85
PID 2012 wrote to memory of 2420	2012	csc.exe	87
PID 2012 wrote to memory of 2420	2012	csc.exe	87
PID 4372 wrote to memory of 3688	4372	powershell.exe	91
PID 4372 wrote to memory of 3688	4372	powershell.exe	91
PID 3688 wrote to memory of 3208	3688	chrome.exe	92
PID 3688 wrote to memory of 3208	3688	chrome.exe	92
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 1840	3688	chrome.exe	95
PID 3688 wrote to memory of 5064	3688	chrome.exe	96
PID 3688 wrote to memory of 5064	3688	chrome.exe	96
PID 3688 wrote to memory of 3036	3688	chrome.exe	97
PID 3688 wrote to memory of 3036	3688	chrome.exe	97
PID 3688 wrote to memory of 3036	3688	chrome.exe	97
PID 3688 wrote to memory of 3036	3688	chrome.exe	97
PID 3688 wrote to memory of 3036	3688	chrome.exe	97
PID 3688 wrote to memory of 3036	3688	chrome.exe	97
PID 3688 wrote to memory of 3036	3688	chrome.exe	97
PID 3688 wrote to memory of 3036	3688	chrome.exe	97
PID 3688 wrote to memory of 3036	3688	chrome.exe	97
PID 3688 wrote to memory of 3036	3688	chrome.exe	97
PID 3688 wrote to memory of 3036	3688	chrome.exe	97
PID 3688 wrote to memory of 3036	3688	chrome.exe	97
PID 3688 wrote to memory of 3036	3688	chrome.exe	97
PID 3688 wrote to memory of 3036	3688	chrome.exe	97

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\6f7255bdbbdf380d4733bb33bc1e78293542af39.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wb1u1qfz\wb1u1qfz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBDC.tmp" "c:\Users\Admin\AppData\Local\Temp\wb1u1qfz\CSCB0F4A9A44C2D4D15863687F8F49CE035.TMP"
    3⤵
    PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=C:\Users\Admin\AppData\Local\chrome_zoom --restore-last-session --noerrdialogs --disable-session-crashed-bubble
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed3d04f50,0x7ffed3d04f60,0x7ffed3d04f70
    3⤵
    PID:3208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --noerrdialogs --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1704 /prefetch:2
    3⤵
    PID:1840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=network --noerrdialogs --mojo-platform-channel-handle=2020 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=utility --noerrdialogs --mojo-platform-channel-handle=2308 /prefetch:8
    3⤵
    PID:3036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --noerrdialogs --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:1
    3⤵
    PID:2468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --noerrdialogs --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:3356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --disable-gpu-compositing --lang=en-US --noerrdialogs --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
    3⤵
    PID:3064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=utility --noerrdialogs --mojo-platform-channel-handle=4308 /prefetch:8
    3⤵
    PID:4556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=none --noerrdialogs --mojo-platform-channel-handle=4692 /prefetch:8
    3⤵
    PID:5072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=utility --noerrdialogs --mojo-platform-channel-handle=5624 /prefetch:8
    3⤵
    PID:4916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=none --noerrdialogs --mojo-platform-channel-handle=5536 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=utility --noerrdialogs --mojo-platform-channel-handle=5232 /prefetch:8
    3⤵
    PID:920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=utility --noerrdialogs --mojo-platform-channel-handle=5020 /prefetch:8
    3⤵
    PID:1252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=utility --noerrdialogs --mojo-platform-channel-handle=5448 /prefetch:8
    3⤵
    PID:2420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --disable-gpu-compositing --lang=en-US --noerrdialogs --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
    3⤵
    PID:4664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --disable-gpu-compositing --lang=en-US --noerrdialogs --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
    3⤵
    PID:1540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=none --noerrdialogs --mojo-platform-channel-handle=6004 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=none --noerrdialogs --mojo-platform-channel-handle=4056 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=utility --noerrdialogs --mojo-platform-channel-handle=5324 /prefetch:8
    3⤵
    PID:3136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=none --noerrdialogs --mojo-platform-channel-handle=5844 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --disable-gpu-compositing --lang=en-US --noerrdialogs --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
    3⤵
    PID:4068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=utility --noerrdialogs --mojo-platform-channel-handle=5888 /prefetch:8
    3⤵
    PID:760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=none --noerrdialogs --mojo-platform-channel-handle=1028 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --lang=en-US --service-sandbox-type=utility --noerrdialogs --mojo-platform-channel-handle=4184 /prefetch:8
    3⤵
    PID:4332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --disable-gpu-compositing --lang=en-US --noerrdialogs --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
    3⤵
    PID:4708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1656,18106582318921735479,8784037537571572852,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --noerrdialogs --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4408 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3484

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:3884
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3884_1174936809\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3884_1174936809\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={059b1653-be82-4e00-931b-9e19af9215c5} --system
  2⤵
  - Executes dropped EXE
  PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3884_1174936809\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEBDC.tmp

Filesize
1KB

MD5
99d37db73575a9cf8a43c4390cf00f49

SHA1
e613bc7845fac6154659697b9356d9edb93e3692

SHA256
a7f30b6a58dc809fc93e9abaa5365cf2a551406fd65ea50139272e5dbd7b57cc

SHA512
432aa3fa52e9b47dd77e31d89f45c74e1dd864179727ad2051a20e9974105a53980b34c15a58406da88ae815cb9ea687be19a7de56b5acca7924b0925bb5d289

Download Submit
C:\Users\Admin\AppData\Local\Temp\wb1u1qfz\wb1u1qfz.dll

Filesize
27KB

MD5
237da003fcc84fc1ce642e43fee0d361

SHA1
8d40c73799d6becba2d75c6afec0ac8a020094c5

SHA256
eae75902295ecb1154a791d47b62ed55de127f99a0d4f15a8b7b4897c0e4e9c6

SHA512
307820cee7d0bac400796d2615a022c3cb48cdb123ae848e5ffd47f1e1389b15323886b98d68d5f3fdcd1e3be3c85154df202114e8d66e8990b1d703ffdb484a

Download Submit
C:\Users\Admin\AppData\Local\chrome_zoom\background.js

Filesize
25KB

MD5
5336342817633f87bca548f1f6778b94

SHA1
52b546f6e479de7814193bed27d21d3ea21e7c74

SHA256
aea140b8527ff6a0f784e7dbd4b3e5a2c50215cc4e811f946de7d5bdd8158dfb

SHA512
91fdfac3bc5e7309f8977ff06a89af88ddc4593eb4057a7818679feca5841c3b70bef81835859cbce17a5d8141986bd7af0f7dc2edeef0266c6944d378b0d5bd

Download Submit
C:\Users\Admin\AppData\Local\chrome_zoom\manifest.json

Filesize
639B

MD5
3377dcc935a1bec4b45d3421f0b268a4

SHA1
c60ec694fbaba1a40c402a68c592d21fb7da5166

SHA256
178e23774ed9a5b2bd34589b654f6a585117713e7b674b3346116cbf5429be3c

SHA512
b6a9628a523d0f204dd217c33e576a7aca8644c96bbe82f6b397e8c1a766274a293b68510c469f4aa52aae053f790f24d072edd5b350d4e04e3604bcf5c78ae2

Download Submit
C:\Users\Admin\AppData\Local\chrome_zoom\paper.png

Filesize
3KB

MD5
4e46ad8737dd28215f3c478ee8b01dc0

SHA1
c24e5d85c05e57900ee01e784a76b5eaff84e307

SHA256
5899f805cbb22f72960b222a7a19ae94aaec61de8f638d003fbd54f62e87c5ed

SHA512
f67703233356eb3962e614fe5c3144bef630475a1d52c94fa5c68d9fcdd4328503697907e48e98ac5e3f82234235c4d4beafb5199179f1a46b847665b83bfcfb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wb1u1qfz\CSCB0F4A9A44C2D4D15863687F8F49CE035.TMP

Filesize
652B

MD5
fa1b2ae379bbcda7793e347da3fba2c3

SHA1
8d6802b61968d1ef7ec456bcad1ed08c550f4baa

SHA256
d0b28730f3bbe572d0a1c56fc24f85897113c619aa3de7c06d98fa85778e44a1

SHA512
b2f1bae5902c13807a0be4e2a7746f5060dc1f8823187a993d08ea9d3d119d28abbd06952ef106a1c779214eabf2363def089b3bb5f7970edfecf93bed857ab3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wb1u1qfz\wb1u1qfz.0.cs

Filesize
40KB

MD5
5a53e0d66f8497d34f1ebd8803ccaeda

SHA1
fa3c47ff33e3f78ac9a877cb1e99eb58c41428fc

SHA256
49c324e4b9063febd53cbb912ba128b7bd4584e37a852cf8f07862fe4b7df483

SHA512
ed79d64c6b145ace34260e08a4452f4f6488c1901f622808723755bc0716665b8ecbf869c10268355389337e81751c6c2e59a2a72ccf395dca872fced183808a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wb1u1qfz\wb1u1qfz.cmdline

Filesize
798B

MD5
b5c1cf284b8b49f163638e36cf94977e

SHA1
a5506c594360a9c69377d7a398dbf31241a3aee9

SHA256
d01bc009027b1fdd04dbe88e6198f7bc594dd64511d7b78030e8cb2dc78c8d5f

SHA512
27753d9ea242b1dc00071ee2ca8f3713eb5f29e332d682effb20ed5c0d900f77a4417600b4788fc9893469792ad65f7e5d7c44dee47849192728c7513638992b

Download Submit
memory/4372-144-0x0000020E7CB30000-0x0000020E7CB42000-memory.dmp

Filesize
72KB

Download
memory/4372-146-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp

Filesize
10.8MB

Download
memory/4372-145-0x0000020E7C9A0000-0x0000020E7C9AA000-memory.dmp

Filesize
40KB

Download
memory/4372-150-0x0000020E7CF10000-0x0000020E7CF2E000-memory.dmp

Filesize
120KB

Download
memory/4372-132-0x0000020E7BCC0000-0x0000020E7BCE2000-memory.dmp

Filesize
136KB

Download
memory/4372-136-0x0000020E7CD70000-0x0000020E7CDE6000-memory.dmp

Filesize
472KB

Download
memory/4372-135-0x0000020E7D2A0000-0x0000020E7D7C8000-memory.dmp

Filesize
5.2MB

Download
memory/4372-134-0x0000020E7CBA0000-0x0000020E7CD62000-memory.dmp

Filesize
1.8MB

Download
memory/4372-133-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp

Filesize
10.8MB

Download