hxxps://github[.]com

max time kernel
267s
max time network
260s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2022 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ChromeRecovery.exe

pid process

3780 ChromeRecovery.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
3780	ChromeRecovery.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2904_487303448\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2904_487303448\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2904_487303448\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2904_487303448\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2904_487303448\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2904_487303448\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2904_487303448\ChromeRecoveryCRX.crx	elevation_service.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5072 4052 WerFault.exe

pid	pid_target	process	target process
5072	4052	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exetaskmgr.exechrome.exechrome.exechrome.exetaskmgr.exe

pid	process
3736	chrome.exe
3736	chrome.exe
1088	chrome.exe
1088	chrome.exe
3376	chrome.exe
3376	chrome.exe
5072	chrome.exe
5072	chrome.exe
3972	chrome.exe
3972	chrome.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
4464	chrome.exe
4464	chrome.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
3204	chrome.exe
3204	chrome.exe
4052	chrome.exe
4052	chrome.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3704 taskmgr.exe

pid	process
3704	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid	process
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

taskmgr.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	772	taskmgr.exe
Token: SeSystemProfilePrivilege	772	taskmgr.exe
Token: SeCreateGlobalPrivilege	772	taskmgr.exe
Token: 33	772	taskmgr.exe
Token: SeIncBasePriorityPrivilege	772	taskmgr.exe
Token: SeDebugPrivilege	3704	taskmgr.exe
Token: SeSystemProfilePrivilege	3704	taskmgr.exe
Token: SeCreateGlobalPrivilege	3704	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exetaskmgr.exe

pid	process
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
772	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1088 wrote to memory of 1884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 1884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 2204	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 3736	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 3736	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe
PID 1088 wrote to memory of 884	1088	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f47e4f50,0x7ff8f47e4f60,0x7ff8f47e4f70
2⤵
PID:1884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2020 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2312 /prefetch:8
2⤵
PID:884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
2⤵
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
2⤵
PID:1400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4316 /prefetch:8
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4352 /prefetch:8
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:8
2⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5116 /prefetch:8
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3692 /prefetch:8
2⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5100 /prefetch:8
2⤵
PID:624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2760 /prefetch:1
2⤵
PID:2920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5080 /prefetch:8
2⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5680 /prefetch:8
2⤵
PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5736 /prefetch:8
2⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5984 /prefetch:8
2⤵
PID:2428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3176 /prefetch:8
2⤵
PID:728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
2⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1584 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5056 /prefetch:8
2⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3328 /prefetch:8
2⤵
PID:4236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
2⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3340 /prefetch:2
2⤵
PID:3960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
2⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:8
2⤵
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
2⤵
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4420 /prefetch:8
2⤵
PID:4320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4440 /prefetch:8
2⤵
PID:2144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:8
2⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:8
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
2⤵
PID:3668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,16311859653285931373,9060063517392776065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 /prefetch:8
2⤵
PID:3500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2936

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 4052 -ip 4052
1⤵
PID:1048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4052 -s 836
1⤵
- Program crash
PID:5072

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3704

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:2904

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2904_487303448\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2904_487303448\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={7f6c82bb-1f51-4441-8e34-de5e0c2d3c83} --system
2⤵
- Executes dropped EXE
PID:3780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2904_487303448\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
3c7d1577e1db0550e34c06c965eb0f92

SHA1
7ae19b08d7f956545fa64d4b23b57d971c8c9085

SHA256
2d220ee69f2e8ccfaa955108dd0063f05e81dba6c9bd1b9dce6dd08ae368f4ee

SHA512
0bbd7aa02754c26412656db396a0ea9a642cdd09543e6fbdccc06da5b87b3c6bed0da9e5996bc201f22d7198cc357547c455dd313ed123438759bf2851640fe7

Download Submit
\??\c:\program files\google\chrome\chromerecovery\scoped_dir2904_487303448\chromerecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
\??\pipe\crashpad_1088_ZSNIELXVQNEKUUUM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3780-139-0x0000000000000000-mapping.dmp

Download