hxxp://krnl[.]vip

Resubmissions

28/02/2024, 17:20

240228-vwjq3ahf58 4

28/02/2024, 17:18

240228-vva3jahf34 1

Analysis

max time kernel
150s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
28/02/2024, 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://krnl.vip

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133536144780425363"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4420	chrome.exe
4420	chrome.exe
3176	chrome.exe
3176	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe
Token: SeShutdownPrivilege	4420	chrome.exe
Token: SeCreatePagefilePrivilege	4420	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 4180	4420	chrome.exe	70
PID 4420 wrote to memory of 4180	4420	chrome.exe	70
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 1788	4420	chrome.exe	79
PID 4420 wrote to memory of 3524	4420	chrome.exe	81
PID 4420 wrote to memory of 3524	4420	chrome.exe	81
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80
PID 4420 wrote to memory of 2472	4420	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://krnl.vip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbb8f29758,0x7ffbb8f29768,0x7ffbb8f29778
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:2
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4544 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3408 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:1
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:8
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4988 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4676 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:1
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1568 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4840 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3864 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:1
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3248 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3956 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5580 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5984 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3084 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5968 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=1056 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3928 --field-trial-handle=1840,i,8898193149079587863,17272492382624726833,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4760

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1560

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
19KB

MD5
8d5a29da38f6a618f0e1eb3f5b1e26be

SHA1
1eb26474ef2908d939d8cc3da670e55ef8418219

SHA256
f9b094a95d2c3a0586c7b8638a4cfa73ae68e2f6164343806b750ca33e337ad1

SHA512
ec471da2cdd6a11248c85eb3dbf5bffeaafd11d5fb76043df0a294f27266b94eed4edd8041ce7eaab11c5337a7436d11fcffdec818280b1ddbadbbaad9874c50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5e7dafabda43e271a96fdb67ecd94183

SHA1
bc374b2863968e96aba97418ea5e52ad7153bf71

SHA256
38b2952d758de879edd243c39818c76b59f39907f6f473bc68c8a1c66487e76c

SHA512
a2c2b421717285d8f45e2ae910edf457045f0bb5fec7d60382d3925a2b2de64ef6dcd9bee0ff80c16be10c903c713346b09c5f6bcc1119607aabc4e699fc9396

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
e036093cb7aa48cc104d36fc595094e8

SHA1
c328da490aa1c34623c40c412c388a243d865257

SHA256
1150472b66b4478136260de6d8ddf59129dc51f526a26a167b1e0414d0b6cf7d

SHA512
032b14aff8c0cd4272f8adbf38d8d75c687bf80d8733555dbb8034085fc2be5971633c627fc5c38663d37ee7cc4e4d6ffc6412ecfe3c202355cc7a32b581bc2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
9996a72a437fea0127db7302279e063d

SHA1
5159e31672babf4b244ac8e721606c421ed1166d

SHA256
218aedf4e0d36b087f47cce6697abc6c70348e2a120d7c8551d09696a72ff100

SHA512
5b00796c9a53ed0b3f239fdc7d200d2599002d99e0a9ef6577eb2a42ba09da8466c8676cfaf0c55d3640d970b6d2586051a73fe4f5f1f18c14d8eb466b91ff45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ea44943e19e2f7782317d5bc78a387fd

SHA1
e4a62566e6a7e696c6ddcc9e9caf0b77aea604d3

SHA256
f14bcbe0f9e1941bb0cae30b174cacf6e6b2fe3f0d862cc0ca7c7235a7840468

SHA512
c844ad022db51df4625960afd6c1d21775a7b7b04b2d8dc5b66fbdc6960ef9f0042e0e5a1808970da751ebb328b39826d12321c18cfeedcdea2d0555549222df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5618f4c387854ece9c848592e4c02698

SHA1
1b8702a6cc0df8ed87a3bf0c939947163e9cc663

SHA256
80923c2d108476961ed2f8a844b0e6b31d03422af5edb1e49167bb998ae2e9df

SHA512
62c1b8da0867f39ba0750b416f35ae9c75f99b138de45382a686dfe2a9811fa1a237e103d0da96f33d8837da60d80ae3aa143b09d040308af4232255bd3fc7a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4437102fcedbeb2f1b19f794c7a96ad4

SHA1
20fd09abd3d5dc154dd3265863664a65221e6c4a

SHA256
5759b76d5f81418799d342f1a3db265687ec167721a7f99db745740b328b9ea9

SHA512
05db6b7603ebef60001517f884d657cb840f4183ebeff8810be5c2ae27b90d8993f3a2e3df81f54b6184546cd1df4038f90a2bb450ea8bbff9c5d52ea9528c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1f1f50da27cf1fbb5f9d8464e5f1a73d

SHA1
758d3004ab317e8c39f9fe5302eb5bc3f974cbd0

SHA256
38e56a7b834894dbef0fa04d6294d760894f630101f4a45fde11f9b2cfd05c92

SHA512
56392c744367d8f277d6f4d3c8a2a98e80426ac9366221011b97bee0ac38f6758c5d15e3f132dae863d3f6aaab001ea59c2c71fc6d4592a43c1ee9c53195a568

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
03eeecd5c42b0ef53d8d01db14dc5c77

SHA1
f2ebe4b6660bc7777f7e6d5b8d51ec6ba1613bb9

SHA256
8dc485f02acb096eebf5662363914154455a6a2711849cb5ce7f4aba74357b1e

SHA512
d757e49bfcd69e94fd6053f00217cd1386154be960383eff588403051d366e510f3504a50254140fbf1b7522bd56f962aa9a1b3a8d2a3da60ff1ca1093398d60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ccdefc873be4e81a62957df514c748cc

SHA1
b2b6fae4ed96d788c8c7ad925140e731cfea3754

SHA256
d37ab79eef38a74fdf1cbc9b2271b55ca0116a860a40562db638dca363096978

SHA512
6ce1131a6ae48fb73b0cda1be8b758b7bdf4c8bb395b969e51f1b2ce2b349d26523f68dfaeb83acd69a51fe63d9678698908afd96590f1fa811b193d2cf35c3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
986124ba0f56f2adb16612d25be6bfd7

SHA1
7afc1c3583dee9dd9a36cf63fc404196712665d2

SHA256
2296fcf72d04902de8cc7c95bd2f4cce975c0fcf227b24077240bf265a5095fd

SHA512
aeee9734f70fc3a2102b122871de19b98d111d56a7a4a125d4ea11fe383c32482d1eaea5de5a58b9bb806dfabe74bdc3b167a9311eea12b982962dc8cd8abc78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
68d61853c0c28b9ed2508ff71aa230f8

SHA1
430da369ad93dc59527647b727a6e08401b3d9d9

SHA256
f28db7875aebb6342fad7550d6d84fffa3de1d3ac272b5f39b395558288e938f

SHA512
0aa9097f740564f00304dd18cd8c92fca12b10b7f0e79fb3648627b313aab90dc77d22be741a9ff5c8fff440bed35ea94ae94888e71ac0be2a11249a672cfbfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
22e787caffb963553402404946bec985

SHA1
bb856185ce8c0856f6328d1a10a5f001093e910e

SHA256
dc95ab6ba14f6be5e00fe8ebe783e264c049689c055699b782b9d9508dfbdc64

SHA512
66b650520e8e2a032d9988ae545a55c43637008d40686d5d4db7ecfa3d56ab5c1f3d56856af693efd6d575a888571272d14b1c5c2384009160599e1aa4de135b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
223181f2434296bf3d58dea71b5951a1

SHA1
6f703ed50579dca49349341195c51034c91280ac

SHA256
a382f8b6261619242a53851c3f660a2de5bdc336e5a629e72735b5abbbb89683

SHA512
b5f24ef00302a4fa0dc8d1c4299f22e6897a83136103acc26b790cf2c9af15b67021dc9b9cc80c1f12117bd64158ae6469d3dd8c451121e5f60f4f2c2f6455d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
d02c6c945a0a3bf6ed0d4c61d95a4fff

SHA1
e1d260b6b5d9a08ff360fcea2896a7c676dd108c

SHA256
4776ea63282f586d038436124804ab6d4707b59bc20b66b1f9778fe09e0185bf

SHA512
67e7074a889aeb2eb1282846c0b727ff0264ade2f552438f987c6856289387b71dd841f3985bcad07b332afb74afd459587bf2d98fa794ec49b88fb1d8292cf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58ebf1.TMP

Filesize
48B

MD5
a463cd235bfea49f03e18ea0a74e6218

SHA1
2cdf3b2292e2f614181d49f9cf3a2fb7c33dc765

SHA256
c9d5337147f724ff0de907495e84a8ea58dad3bd157e37910403770cdae7fe5e

SHA512
04f13b64e1c6423612f6549ac3cbf83db72d5105b69c16ab3e64cb5d26ee02b5eb8e4d3d1be014ab2dce54e60340742e10a013c800f5bf63ed68993a4fec0883

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
6ea8b5a98c45b8a7f9cc29dd9934a87b

SHA1
06267b8436582c551dc64ed7c57f2b3a1f5f45b3

SHA256
e31121504d021b899f1cc3ec842b624b91ee80aac5dda0730f360620b6bc76cb

SHA512
dedd30539a98c655ed10a409632fcee04e03b635586862752e9042c61f4fe60f480e1bbec69789a3b1d0d0055ed88a82b18d6deac3566076651050f78f9ffec2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
b8e853c45dacba348e6ccf82791cd7cd

SHA1
176a01287a7fd56bc0cc737a1d5f62f059ac1603

SHA256
9852bc41ad37814649657202f58c5535f8db02c31353aa2682a35286e2013e12

SHA512
4b79e8d6bef9e2d5a2d572ee09a81c9ece6b3253d7de69b98f26f84a05252deb1c66e66e5628cbe197fcd06fcb657b061d2ea2c21b1519f4126381479abbfd19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5837d4.TMP

Filesize
92KB

MD5
45daf3eaca431f5498407622f62b99b5

SHA1
5973b07ae5ca0d779b17137e59744c936c8dbaf4

SHA256
2f53099b319049968dd061afcf8604f2db52408797182676509fe864fd394793

SHA512
2800f7975af3ee1b9e1189f936ab922adde93cbb4c20a950fe0c7920a7ad26b9a949f92a732c2b8473800083e4da4e33014b798f5df723d536d121fc5042f93a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit