hxxp://4[.]204[.]233[.]44/dll

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2022, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://4.204.233.44/dll

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4880	ChromeRecovery.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1552_2126234759\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1552_2126234759\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1552_2126234759\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1552_2126234759\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1552_2126234759\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1552_2126234759\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1552_2126234759\manifest.json	elevation_service.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3704	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3384	chrome.exe
3384	chrome.exe
2240	chrome.exe
2240	chrome.exe
5116	chrome.exe
5116	chrome.exe
1568	chrome.exe
1568	chrome.exe
4020	chrome.exe
4020	chrome.exe
1704	chrome.exe
1704	chrome.exe
1060	chrome.exe
1060	chrome.exe
984	chrome.exe
984	chrome.exe
704	chrome.exe
704	chrome.exe
2656	chrome.exe
2656	chrome.exe
2164	chrome.exe
2164	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
176	chrome.exe
176	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3704	POWERPNT.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe
2240	chrome.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3704	POWERPNT.EXE
3704	POWERPNT.EXE
3704	POWERPNT.EXE
3704	POWERPNT.EXE
3704	POWERPNT.EXE
3704	POWERPNT.EXE
3704	POWERPNT.EXE
3704	POWERPNT.EXE
3704	POWERPNT.EXE
3704	POWERPNT.EXE
3704	POWERPNT.EXE
3704	POWERPNT.EXE
3704	POWERPNT.EXE
3704	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2264	2240	chrome.exe	82
PID 2240 wrote to memory of 2264	2240	chrome.exe	82
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 4752	2240	chrome.exe	85
PID 2240 wrote to memory of 3384	2240	chrome.exe	86
PID 2240 wrote to memory of 3384	2240	chrome.exe	86
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87
PID 2240 wrote to memory of 4024	2240	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://4.204.233.44/dll
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8719c4f50,0x7ff8719c4f60,0x7ff8719c4f70
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1600 /prefetch:2
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2936 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4252 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:704
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\Dll.ppam" /ou ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\NoStartUp.ppam" /ou ""
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3692 /prefetch:8
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\vbs_to_js.ppam" /ou ""
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4244 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4876 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3732 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12682281047612268645,8798633094589946861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2508

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:1552
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1552_2126234759\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1552_2126234759\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={be25b126-6723-4f24-a165-2bcc7aea3828} --system
  2⤵
  - Executes dropped EXE
  PID:4880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1552_2126234759\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\00C5C2A.tmp

Filesize
79B

MD5
d998aae6e3bd3cce9ab3dc8492b3272a

SHA1
7844227d669666603c2bbc8266cf9ca0da3d0d2a

SHA256
b9547457f9a8f749e8fc0fb93d4ba1b47d8c9629e459ed5a3e99d3f97f394b3f

SHA512
2dc847c74091000abe3be2c46f93441ae5e7c2bd4c1661597c97255d8c51925c420426eafcc861ead83d48ca6090b2e03d96d3cb8712ccc2cfba3966cba3a79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B845A4.tmp

Filesize
79B

MD5
95000b809079b0d8d7e7a7488504697e

SHA1
a84e32f7d580593276b1d3d86267a682fb6db937

SHA256
94c6e9543e444b50fede2495b941f3f4a8d5d2eec81451d015b751fb1e0fc190

SHA512
5f039971cb37f816999558492eb6bcc5ae98cedcf3cb1b0cbdc18cffce55af34ac21ac295d7d71d43b2c6ff50b5251fdfb89dcc01d8321667450dad7dca13df2

Download Submit
C:\Users\Admin\Downloads\Dll.ppam

Filesize
12KB

MD5
ea4deb4109cb65380e6df8073b87f464

SHA1
fdd615b10302bc6560d42882e0aba430d97e60b3

SHA256
ee215474d4eb2f45be9b481ff71b8b40bb442d66e13055222f94214b9a3aa21d

SHA512
4576e958cced2eb8ff8223bc70f7de3a7022b2c6c765024ea9d31c816280e070de4db15281a5e5f574d2eafaa2992eddc75ea27968d86e58e483fd99b32d0cfb

Download Submit
C:\Users\Admin\Downloads\NoStartUp.ppam

Filesize
12KB

MD5
280e52c21c464acd4c26a2b230f62570

SHA1
68b13ff8539b6b94954e69eb97c1c8917e70f30a

SHA256
d4e555c398b35af11ff763f843dd4b3a5037aa6ee1cf4cd2ba5f283a0e059250

SHA512
9bafd9b901892543188f21f282758b3019520b97ad53689e6740cafe43844c1ab4b9e3e94f83bb45da9bf059ecb4fc36ecca6618cdec91ade4b8f068d6da7158

Download Submit
C:\Users\Admin\Downloads\vbs_to_js.ppam

Filesize
12KB

MD5
33deb7d42b83a92cc570f374a1079f68

SHA1
bbc2e4747fc2b36bdc5982d1cc5e84eb4554c367

SHA256
c10e5bd23449c500cae1d82e23b3f18475ac7bacd0d59b4664362ed0575c039e

SHA512
216a7ff93ed03b7393c135471f26435d96c9e08c2df85cf273fd5118d3f460b2e3fe31fefe44fc5d6035a22657c211f7aa0a69c5211a51c9399d3807ce85ef7e

Download Submit
memory/2232-153-0x00007FF84E110000-0x00007FF84E120000-memory.dmp

Filesize
64KB

Download
memory/2232-151-0x00007FF84E110000-0x00007FF84E120000-memory.dmp

Filesize
64KB

Download
memory/2232-154-0x00007FF84E110000-0x00007FF84E120000-memory.dmp

Filesize
64KB

Download
memory/2232-152-0x00007FF84E110000-0x00007FF84E120000-memory.dmp

Filesize
64KB

Download
memory/3704-137-0x00007FF84E110000-0x00007FF84E120000-memory.dmp

Filesize
64KB

Download
memory/3704-138-0x00007FF84E110000-0x00007FF84E120000-memory.dmp

Filesize
64KB

Download
memory/3704-140-0x00007FF84BCD0000-0x00007FF84BCE0000-memory.dmp

Filesize
64KB

Download
memory/3704-139-0x00007FF84BCD0000-0x00007FF84BCE0000-memory.dmp

Filesize
64KB

Download
memory/3704-135-0x00007FF84E110000-0x00007FF84E120000-memory.dmp

Filesize
64KB

Download
memory/3704-136-0x00007FF84E110000-0x00007FF84E120000-memory.dmp

Filesize
64KB

Download
memory/3704-134-0x00007FF84E110000-0x00007FF84E120000-memory.dmp

Filesize
64KB

Download