hxxps://help[.]pendo[.]io/

Analysis

max time kernel
296s
max time network
279s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://help.pendo.io/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133493719121464983"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1932	chrome.exe
1932	chrome.exe
3180	chrome.exe
3180	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1932	chrome.exe
1932	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 764	1932	chrome.exe	88
PID 1932 wrote to memory of 764	1932	chrome.exe	88
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 4700	1932	chrome.exe	91
PID 1932 wrote to memory of 1488	1932	chrome.exe	92
PID 1932 wrote to memory of 1488	1932	chrome.exe	92
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93
PID 1932 wrote to memory of 564	1932	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://help.pendo.io/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe43339758,0x7ffe43339768,0x7ffe43339778
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1916,i,1524633839122550168,6094394095688388171,131072 /prefetch:2
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1916,i,1524633839122550168,6094394095688388171,131072 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1916,i,1524633839122550168,6094394095688388171,131072 /prefetch:8
  2⤵
  PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1916,i,1524633839122550168,6094394095688388171,131072 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1916,i,1524633839122550168,6094394095688388171,131072 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 --field-trial-handle=1916,i,1524633839122550168,6094394095688388171,131072 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1916,i,1524633839122550168,6094394095688388171,131072 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4924 --field-trial-handle=1916,i,1524633839122550168,6094394095688388171,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3180

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
8fb0b1db4973f5ea7879767d059ec33f

SHA1
f133c971d1bf5e920d154253a1e79dfa1e2651d2

SHA256
ce78da5e1e5b02aa34138b91a5169ba695f47a18024062a0263e0f21a457a382

SHA512
12ca589916bc1f578769ee9ee2e49c7d88c2caec7840392f02b7c51dc173b079f33efcb400611db7a15d239e0c3035d4a2d8aac00f17e01ef789ac54027739dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
1a1565b459102c6efe1c6610e92e3ce5

SHA1
7be548c8cb267b3d2cdc7b469cd2811ec543b571

SHA256
e65997e07b0546f56260ace2bb15bd4dedc2bc60298e018cba52c4a0fc600e90

SHA512
99ddf869965d8dd70a2e06231d604b926f3fcbda22e5647703fa7c8605b36fbf2fa0cb63d2550d0a85b55de63270be8fb1d322f23db59b67db71559c633a9fd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
fc2a531d955fb2f44a4568f933a5754f

SHA1
c3ba2021cb450ae41bcfe9d627286c9b3cee22cd

SHA256
87c3daf6d85652a7b961dce41340cc5ea79295aa3aa2639dfebf2c68fc681076

SHA512
47f57074ee6121a52f887c7f41c023839f6d96d8f1a8e4fb6c252475f625f4f23680336fef170a066e949080799b9b5bc5c5bab3d546aa35468fb0624b01f5a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a5cf06eb2a64e82a67a5c0407f64d8d9

SHA1
aec117417066c09a47e76b8967e1135c149e2cc2

SHA256
2cc80c2b96fe42d0ca8a837b18f26b0ddb616ffb6269ea78776b2f1909953a4f

SHA512
e907ec974db881dde9297817571a41c2ebc5b160550b6bfae97ae95ebea7c2dde4155d4e0519ef8487bef35570cfe2f6dcc9efa147931b8bacbd9ee43b330614

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
d2cfd1911c27a12033ce3d92e2cac551

SHA1
bac2e91ff0ec5ad3f4cc9b7954018889478c7101

SHA256
65aa8f672dfe5fd65efcd72c64456ff74b8c578104ce09ca7770ff4cf93c5fb5

SHA512
9ffd88768fa314ac861140e6d76d7c786b1ddd3d5164358b94e4bc1ff53cad4d4902e210ec9e34c8046f074529becb9a45acb09fe363cb260532aed093aace50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
42e5a02b6924dd1d089dbb64eed0eb4b

SHA1
e5269d73131cdaca45138ee7f57d342c900abc06

SHA256
3ef5bc302dc2865b126811bf32534b8a0b68e691f2252dbe77dafc9a247aecfd

SHA512
6a2875373341f9d44931bc29b93210a2c27822e387e5bb10a478a3ba4af85f2dbfef8f2485e256bdf756eeb4e0ffa2199d3f920d75964629b2433954d0e4c0fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9ae32aad4826cb7a8b605bad732363f6

SHA1
3af99e265654120e24d55640173384dd219e8337

SHA256
83b9118ca46ec938dfde3a5658e6f1a59cfc8ec516ef58062843f38c9d2f64be

SHA512
92f226333c7a4ff3200d61091a50c39aaf6ec743d8929eeb4c5eddc2d9ce197cfb7a0fc39b0247033496f361c0d481081b54ee44a4326c7b8d07a522b365695b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
25KB

MD5
4cbbed4442b64c21d93c54822461f28a

SHA1
2c0486e0a4511d6b7455ed36a7ae667c9a9ac88c

SHA256
c7c0a6f9e65a08d5348fd570b4658a20fab35ba248b4ee88285dcb4454bab40a

SHA512
99e04033398ffb7015989c797821a2657ea9ba1e0959640f52da6e3aecb412050354bcb48f8906180029ab49aebfe750baf8fd96b15ec6a10369491d245253a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit