hxxp://github[.]com

Resubmissions

08/05/2024, 14:11

240508-rhjx5aag36 8

08/05/2024, 14:07

240508-re2zjagc5y 8

08/05/2024, 14:03

240508-rc5mmsae26 1

Analysis

max time kernel
299s
max time network
290s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://github.com

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4260	destr3ktdows (1).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
62	raw.githubusercontent.com
63	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	destr3ktdows (1).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4340	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
4760	chrome.exe
4760	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe
Token: SeShutdownPrivilege	5056	chrome.exe
Token: SeCreatePagefilePrivilege	5056	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4260	destr3ktdows (1).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4784	5056	chrome.exe	77
PID 5056 wrote to memory of 4784	5056	chrome.exe	77
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4548	5056	chrome.exe	78
PID 5056 wrote to memory of 4484	5056	chrome.exe	79
PID 5056 wrote to memory of 4484	5056	chrome.exe	79
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80
PID 5056 wrote to memory of 1692	5056	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://github.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4ec4ab58,0x7ffc4ec4ab68,0x7ffc4ec4ab78
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:2
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2836 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2844 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4176 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4016 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4152 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1876 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4732 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4720 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3124 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1876 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3924 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1908,i,1115175831047764121,8798601480537759268,131072 /prefetch:8
  2⤵
  PID:3632
- C:\Users\Admin\Downloads\destr3ktdows (1).exe
  "C:\Users\Admin\Downloads\destr3ktdows (1).exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:4260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
      4⤵
      Modifies registry key
      PID:4340

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4740

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x49c
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

Filesize
50KB

MD5
411304a605b942a2f111831782bc5fca

SHA1
e56ed02610f213390bf3e445a87e458f23f037ed

SHA256
50deeaa3b874d665af30c6f574fe3715e7693636228d19f22c99dd43705373c3

SHA512
f986e3a3ffbb7840f1c129ac99846fbee1b939b9addadc0b73ab6c1c39266d492af3f112d8f19b0e9662710afc33537766a490fa7f14d27c3eff0b2afea83d85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2ba8375daabd7712d155fbcfe84ea5bb

SHA1
247ab8c38232670bb5d1e70425ded013aa737245

SHA256
7a0a8f0a83b6c927799018cb6128d6ecc0f9577ac4677714a71f315201751e72

SHA512
d010d55be988e9b722a42207ed0b5a0ef9bee2d40ae1106eb4866dfdc608764069d65487d30c12597c09ecdd7ee079f4de559833f1288b255a6cf069f4a0bba7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
941b1293c52c78336debdd3bb67afb7d

SHA1
cf548758b2800ce8482a99b67c718d9fc1e1c0b7

SHA256
e7dc80861f43a669aae6974514604c6e508dccdcb0068fbdd534965a1ad1197f

SHA512
b7bd038a8b67b634dc9f3a45d9f5b885b8ecd6cb8a5d38d6c18eeb1ecc8d3972ca4b348e8ce9ec8e3f5417ebadecc5f88007cd6b00ce73b43dd88ec99f700a50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2ad427c942f0745a8e94df51ee422c48

SHA1
41864e985ba4661d459222a4b1fe264f6781d70a

SHA256
8d5b1ca1c9576d64f33232a6e182683a653045a31a9153cbcbe124c207a2ef15

SHA512
c628f9b9e308a756c713829a65bbbf1adbc62b1efa171decdd09ed6f965f37ff805b5a3c30ec7d21f5c245d2c0711d43ce9e675b44c8e27d7853ddcd3f3a1af9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e70e167473101458c0ef356923b33f37

SHA1
d7105aa712a5134793920de3a033aff2b88b6f6e

SHA256
3974ac1798619c5d8c367833dc0140da16b2092188e0d094ead63bcd0d71601c

SHA512
9f5eae495a0d72abafc5badee45c79526c07068130987d1e0b4026022325d26b6c09333674f3a39b418a43d52b44dc0ab6e268169c26bee1213faa13b018b4c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
abae9e4a06ca3bcd6e82334278d7c9f6

SHA1
93fbddd4207b56c69b4d4c8d66c907640d654663

SHA256
07e8e1b9dde88ab1707a8d405a9a84676be6dc0dfa7cd21d24b0fc49108db0cd

SHA512
418abe80919a3b7778e673b92a97a8aea32497464c565176f64fad37585b13ee5ce37449774213886f5deb67fa2c636c6a7a596fa7cc95e0d9f2e942acdba1ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1018B

MD5
c4086b72533b49b6c967a3775882e9fc

SHA1
176c4c988f8fd1a93560fcb729371230e509a949

SHA256
7f8ff88a3df55a41b5cb63031f0b948e0567bda60cfaa0e3a66055a5ce99f340

SHA512
2cf3886ffcb932cb18ee912a47b3eb0786978174639a12a6f60991db3c6f04be9901f381833b19adb79aa402a68c9f28345b04abfce1e5e3ab914a0ce1938be2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
22e887491305ef1507f0d11188866305

SHA1
ce488fc86099e98240697c20c0db92a80a48e81b

SHA256
c74e4d35c49ddaabeab0d4c526d883e77d310b965a6c04caab4e590f2304fb98

SHA512
f2165c35943f6d1e5fea2bf4467114d73d01e5a691e8b4fe9ca547d0d4781968c917d0f694ae2a083cbed554cb36924533ff701865fa999dfa865d16d9981f12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e773e50372d481e1be3cafee957ff59e

SHA1
dcabf427273628d4bbab52fdd4fd332b282ab0d8

SHA256
f99c1e8c095f27a3511cd4d56ce86753c516409f626efa663206147e07a8579e

SHA512
4535ae1025206ab7d27d0f3c45b759d6527ff02e29af0cf5fb8ad37b45f1d57d10d267b30a0a3adaa30b6ee80bd91124ad0d3fc639b2f4fd30cf59c27f27234a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ea66c7bf7c16bc0ca6a4bed3ee099207

SHA1
c78d042119ea848ee88d27e3f77210550f41a635

SHA256
5bc37ee2a7a23ed3c4762a989462b65a4a082e625addb559548f768607713786

SHA512
e19b411df855966dc1783ebf8446ca56770b61c2d37cc86706df6eebac9df5bd5f1793ddfa4d968643f5d730a695db23f310e5bacee10069c60c939a42b3b0ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2aa38b2a904de385061503f7873c9eb9

SHA1
33233f6b0d57de05677c2d5a0d163274278c0a39

SHA256
537d23f259076d071988b2087b5d0500667c18bddacc3a020e3b15b6f39fdb41

SHA512
846eb39365dd0ca157a91b62f59a129786787887ff4b73e2c228a3745523cca512950dc8fb4b40a2219ad8b90658fb40ddc5d502e14477df5e562362185b9a03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4b41891ae9fcc1dbbc6cac466b845bf2

SHA1
d1606005c6e462da1757c77f07e703810d3e5883

SHA256
5f30328b01f22ac73ddf1f6f089983e9fb323b491fe824303ee999da5427c940

SHA512
e3bb219eae019b9f723c48e6a1072fd84f1d078a16ef8291f480fcd65b377dbc3cf4e8b1fb9d186a2d5b47d3a121003f1518cb9dd78599d10eff9d445243066b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
aca0840dded69443d9fc177b539ab2c4

SHA1
2321f3514974f7bf2f1ed5b4c90e16f840a53f19

SHA256
085bca9b98659d338e89b46cca74ff3b007c60ddd2de070a032a1e6d4a030222

SHA512
98f2c7e5ec0d9d255c034c1034ca5e0c7a4dc76791f23332e61a9d312ee6cff6e58cf0097236f44506ea28b9bdd93eaf59ba47dd4fe136949e8105122f60eae9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7b01cddda2cc588fbe56d10e9511bcad

SHA1
5e4baf46431d9a33178c5feb512f59d81d259a93

SHA256
2e9ddaa8e951a6a04c0070417567deaf9d2bdfe5e6707ece77201b0ee59eeefb

SHA512
18890df05cd70be852757a8e885c4505e2215c901578d9213452669d5655cecc4eefc52e6200b5380d548024244cad0f320f534375d29f603caa8d4f3b93a0b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dc81009f34e2344e2857749f618eae61

SHA1
782a4459865c408d11cdb3478bc10bb39a3ea1f5

SHA256
da245c1d51a26f4de7aa6279a694265b4cb21fc834e4f49935d0278364966acd

SHA512
194c5c225e7c6ed5e5d6bf09aceb53dac6b4295ea556f84e380f5361ae502a6d81862e1baf82ca0c41b1336973232025432cb0e8a3b3fe03f94e37620f5a0a6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
431cc790f15e573eebae9b2509496ebf

SHA1
826730ee59920c5603e73c59ac383344076e6d0d

SHA256
97782e4f4caa98c432f6e2c22f844dc98605af7027fb9cb2d0f9e7a20eef517d

SHA512
326e1993889acc1ee984a2353af12324d90faaaf8b98032ae32ac4a24836eb9b74ee43395b32c3ba6351bcefe6896309bc28be67656957148f92dcbabf3da7b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
c4e50f2101c19546f4ccc21f55f44cb7

SHA1
f06eea3943c24cacb02cea9e2823cd7cd736fb9f

SHA256
f607382d6cf3a0ca1a9be9fa3b70a3e0cf3f1bf82667767fc23c49d6237df795

SHA512
3b97a9fe2c74a4207634f615d5d0e1df3d6f00447b9210b30a57fae59b23b361c54ba3293c06747dd7b415e755c7e23bb706546e074dcb7f1ca4bcec17af2d72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
ee6df1079b163fddb836d04e94a3260c

SHA1
58ce9a407f0c3da3e742540707867d55032a05b5

SHA256
2144a2007834d85100c22efe388653e98d42dc3d33d6d038978e75e8a338a3ed

SHA512
4e93e425724316525ad7ad1b0c61d3ea244b82dc5b32c5d47372b14b34bc4decf9fcc7755384e4a396e40842f7752a053efb2e47c222b5b5e791630f0909c81e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
55680b50ac73c5874dc41689489991f8

SHA1
8b137233bca57d51c884bc0d4d97b697e7e39210

SHA256
775ca8cbb2eb9ac86b3cbd0f7804b17e6831862b5ee92395af5d1c76b6e0b0c4

SHA512
d236acf357063ebdc115b70a6334daa81f9e6b01aa87a53eb0dbf6f4663f3b8fdb64eec20a12d0cbffb3a2d66613bf77ac82aa20cbc9d452f3db4e9a631420ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
f6452643a8ad1733760a45a557a31304

SHA1
71e25cdca7bc859ed18e6aa2883160534e92f878

SHA256
7e99ea8021be52a7321cb8ce58f2ed945887a58abded22ab66fad8daa6835b6d

SHA512
609b961f8293da82ca61b86415b3a00575aa5cb8d3a3e26e6d380162d511756cc4f5b645dcafa9bd3d98fd222efd8f406906b44a0ed07ec8b2cb4d60491908e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
d446e0a709a08d9b56df7d038132e787

SHA1
a31349f897fac505e87ad9a61d6d1a2cbb223b82

SHA256
265f6f922a19dce6d47ae8055c60ae6f1fee8bfb85c99f5835cee634e63f8ecf

SHA512
e89f6090769ff63dfa7171693e22e9da0be05837e43d06b8bba8448dbbc2bb4a7986e1068c2bfb8b72eb5123a261c0e26ae02e308c81db62761c6d830f830f44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57dab0.TMP

Filesize
88KB

MD5
0e0e3769c7105e3c4dfedda989d3829d

SHA1
8e65f976004a9595e4f659b54cd59c57d4d4e08d

SHA256
27155c34085b91d968291d6b8e6deea4c536d623abbf4270223bda2638ea4b81

SHA512
dd67e5c8091884697a896d17dae8dcbf60eacc639c44e4a1c92422cadce83de299f58ce13435d6345cf809fa830ee3eff66e72097dee0d1c300d76f2221f660d

Download Submit