hxxp://jguyhawsee[.]com

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2023 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://jguyhawsee.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4220	chrome.exe
4220	chrome.exe
4776	chrome.exe
4776	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4220	chrome.exe
4220	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 4064	4220	chrome.exe	78
PID 4220 wrote to memory of 4064	4220	chrome.exe	78
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 212	4220	chrome.exe	80
PID 4220 wrote to memory of 4068	4220	chrome.exe	81
PID 4220 wrote to memory of 4068	4220	chrome.exe	81
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82
PID 4220 wrote to memory of 4248	4220	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://jguyhawsee.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff37ac9758,0x7fff37ac9768,0x7fff37ac9778
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1832,i,13780905396294359032,8244767495928868158,131072 /prefetch:2
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1832,i,13780905396294359032,8244767495928868158,131072 /prefetch:8
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1832,i,13780905396294359032,8244767495928868158,131072 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2824 --field-trial-handle=1832,i,13780905396294359032,8244767495928868158,131072 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2816 --field-trial-handle=1832,i,13780905396294359032,8244767495928868158,131072 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=1832,i,13780905396294359032,8244767495928868158,131072 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1832,i,13780905396294359032,8244767495928868158,131072 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1832,i,13780905396294359032,8244767495928868158,131072 /prefetch:8
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=1832,i,13780905396294359032,8244767495928868158,131072 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4480 --field-trial-handle=1832,i,13780905396294359032,8244767495928868158,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4776

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\33e1c07b-8aa4-47e4-8ebf-4f131cae7edc.tmp

Filesize
6KB

MD5
46f6339cfe24b4237c2ad8077b801368

SHA1
f3c806d4ed1225f3f44df73551c7d495cacec794

SHA256
d8f3a2c73efd9dbb718b082828f412b5d8980459e372bc71ad20f0d8c3e6987c

SHA512
b4b8d1b8f9de2b91a624ecf876f9d7ad83b4c58629d7ab015ff385478f3cc34fa03360aed701115eccbd9a755621dacec3fe28e5899b0db6ebae18ba8989c6a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
548c1e09589af39364feb7244e45bc82

SHA1
aded5dbae4eb95c1e93ac3821ca7012c20d2c53e

SHA256
3a04d2bd57020b022a4de0b15ad0a9713063f5d9038974b98e72704656000a91

SHA512
f35c1427ff6b8988179bda205156f9c8d06b899b8c1aafbab6ab0aa9299f7099ab7ebeb5f153a41e69dacf7bb0dba3eaeb2693bc2e2848ad70ef60084d3d9458

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8d32ff4ba4f4fcad424e93870934682d

SHA1
ff652f03aa561b4e65c7480a4cf411e209f3c398

SHA256
ac194674c388200364408f821cafcade7b79af206b7170fd84571798a493cb0a

SHA512
0b7b248821c903c182a71eaac78ded091125415185195f6357e753af4a347e1ba0c89eef83b4ba84e17969ddb408b28d4c53345807401faaf6a563f121ea797b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
171KB

MD5
0a6ce105b3f5687214dcd2ca804cae0a

SHA1
b153fa9bbe9e5ba66a2b2a80e45542b8d67cd596

SHA256
16a793fd3ddb2b4b83657bdc2fddc201b09e4a7aeea6333de2bfcec46d315f7c

SHA512
841ab066162db65429ef111899b2887b338765c53a9e4e8b8c366dadb473d4f640dd03462a984917b49fda631d54336fc397dc8750e4ac1060639f7078c1ca6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
7629d78075b2346ef1bb2af89baaaa16

SHA1
be1454ade12c3545cb4b91d19efd5ca6a0fb7fa6

SHA256
7e4b4ec2b5f959a1e20a7e02e75ad93347d3ca471401beed906014fbd836cf45

SHA512
c2ae71a7bfd06ffa94cb2f7ecf91e93c0297483a2921e3c25e130aa649af028ab74526b1302621b99e91642fba940a1202bebfe9e886be8b2aa4e0025db3c8dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58604b.TMP

Filesize
97KB

MD5
6b29ca50420ca4a3f0f1e287b2e03b74

SHA1
b4e00b4044f3ac4b6fcb5620f4c3ca5693a0e34e

SHA256
ef094c7c8e87017456ab4914fdbf46a73491a2fc102db2e659ef8f270bc3133d

SHA512
bbf73870b01c06d7b445433f436604e961a0d154eef6b5ede3be069c5016336e03b989af52367eeedce17877582e1d0769e03403aee782e88957f24034087f85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit