hxxps://stackoverflow[.]com/questions/51139422/warning-c26454-arithmetic-overflow-operation-produces-a-negative-unsigned

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://stackoverflow.com/questions/51139422/warning-c26454-arithmetic-overflow-operation-produces-a-negative-unsigned

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133411680228371283"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1596	chrome.exe
1596	chrome.exe
4356	chrome.exe
4356	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 3200	1596	chrome.exe	72
PID 1596 wrote to memory of 3200	1596	chrome.exe	72
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 1632	1596	chrome.exe	88
PID 1596 wrote to memory of 2900	1596	chrome.exe	87
PID 1596 wrote to memory of 2900	1596	chrome.exe	87
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89
PID 1596 wrote to memory of 3076	1596	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://stackoverflow.com/questions/51139422/warning-c26454-arithmetic-overflow-operation-produces-a-negative-unsigned
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c5a9758,0x7ffe3c5a9768,0x7ffe3c5a9778
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1876,i,9449636777056993681,10795819951335647949,131072 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1876,i,9449636777056993681,10795819951335647949,131072 /prefetch:2
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 --field-trial-handle=1876,i,9449636777056993681,10795819951335647949,131072 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1876,i,9449636777056993681,10795819951335647949,131072 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1876,i,9449636777056993681,10795819951335647949,131072 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=5100 --field-trial-handle=1876,i,9449636777056993681,10795819951335647949,131072 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 --field-trial-handle=1876,i,9449636777056993681,10795819951335647949,131072 /prefetch:8
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1876,i,9449636777056993681,10795819951335647949,131072 /prefetch:8
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4464 --field-trial-handle=1876,i,9449636777056993681,10795819951335647949,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4356

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6edb93f4-72f3-4910-87fa-1e856bff5e64.tmp

Filesize
6KB

MD5
8694fba37e9d831e9423c2f5837918bf

SHA1
f3ab31405be7ead1e9acf5218b59c4a1766fc35e

SHA256
7d3b009c0962e4ce81f5ff133a403868fcb13c44ef2162a898369cdc8908f903

SHA512
db47fa128134fe2485ab7d4b28e5fc1ae80b6a7cffdb9670bcec4bd48cbb1e4cac0f79b69cdb87c711d6bdd2a43b26b18d963606aee7d66e9ee30cb08bed22c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8b612e0d-0bc3-4bfe-9171-9aecc85004a0.tmp

Filesize
5KB

MD5
fc5591765a09c99e3082f8727a969f0b

SHA1
376003c87dbe4930e10cffabc391dc19d20454a9

SHA256
f25246a61f3a2c617f392e9933fbe995d5f3dbe930bc110c1521afa912502560

SHA512
85ac5596469b9d9e7ab9a35740c2a9fa96125715bb0ecbb45fb123b897d22d53d3269d07e996faeaa37a90d135a8ec82674668cd33ef381e90fe6af89b4414e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
55be920bdfa1723f9657e627b401a19c

SHA1
9e552ce6b2ae12c707295fc72fc03b99ddc346e7

SHA256
13abf41d3b93d1c8f6e91745b51924f2e286649d8f2896a9c444646a957af292

SHA512
52f4face2cedeb2308f64ab9f2a6f9df51a6d9a8ccd19b4cebc37caa41ffb9438719930d4836e0091cf25f31b3eb2639c4ad20b5bf77b49c6042a0dfb5cd435b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
016fad417d2c49867fff2ec0e7f118c5

SHA1
096978e27cf20f2b2dde7305cffdc4b9839fa3ae

SHA256
dc8b108187e3ab25544bedd7c9504eff9b144e6ac3affbb09d3a2dd24f5d271c

SHA512
851bb1e1e12972b3f46580f989550bc45622a877b18c3972bb08ce08b4972c4b2d4feb541265c2aebb5396ccd30322ec95382085ffe319168690f592465f0ce1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
bf72c867ff53bdd67977d069c2bdb4b4

SHA1
b98501a180ee99228f5d96aa44c8e05842432fc4

SHA256
c979da021b27c6eff5e9d934d59fb8b8833dd04355515147b51339c3856fd06b

SHA512
e7638d43847d6c0df288f1a94ebb4f109c5e7a70fcf188b133c1d8f517e7c136cd4f3a17b4bc9eb06d6918b88228bc92dae9f2df6c28c8b69435805a8fdc901f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
683c0205ca8c93069198e0867b631365

SHA1
ff19b3bf19b78ddcec3e5df13dd6b79047ad1cb4

SHA256
554abafd2445d9be46dd09f64ee08383e5b717f6136c9a83863da3f573b2e7fd

SHA512
4ce7c349c080db06b5154c89cc5f6048695e093fe46314c270cf1a2b1b0126a598732c87360e9c17448c118f5d876d7a26e7f3b6312c83ec0078d33c9b02f1c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
91ab43ba7c10a7ec19031a2c158187c7

SHA1
6e504e73cbe179ad518ad52b41f1a44c6b5b9058

SHA256
f18053c71947c82adf1da810c196d34fda5972d0504e95e5f261d57f8bd7b71a

SHA512
624615830308c623c81720042dafa0a92b92ac4e05b20846cd70321ee67a03e275c297b26a8a7b8923fca9309b27cb0c5c31a3887ffb5667146519b4c5234d6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit