b720aa9c58b19eec96664d807ffeef3518655dea880cdc71bbb6b037e1da7c2d

Analysis

max time kernel
160s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Guardian Browser.exe
Size

158.3MB
MD5

aafa839b0874605018b2e3ec6a34dbcf
SHA1

c17fc2bbee408800bc0fb1dbb324bfc3bb504528
SHA256

f4fdbbdcba6145bb277958790eb5bc62130485e704acef4682574d6ef2a73c17
SHA512

0b89277eea60e92c9a0694f9d45e4f62301a887df777f03679ede04f5982042050cb39ae7117669b7b640e13f780182b99257086c772a0fd2a6ba8eb2a3cb69d
SSDEEP

1572864:0bVZx8PLGKEULTQ9hm/C1tdUKYjgTwFoKnRQwsu/YfWXV/NiisGItlAdgAnEk0H1:zvCqSkRm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Guardian Browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Guardian Browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Guardian Browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Guardian Browser.exe

Loads dropped DLL 1 IoCs

pid	Process
2376	Guardian Browser.exe

Unexpected DNS network traffic destination 45 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Looks up external IP address via web service 45 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
88	icanhazip.com
142	icanhazip.com
152	icanhazip.com
205	icanhazip.com
215	icanhazip.com
30	api.ipify.org
31	api.ipify.org
63	icanhazip.com
221	icanhazip.com
233	icanhazip.com
66	icanhazip.com
113	icanhazip.com
121	icanhazip.com
146	icanhazip.com
168	icanhazip.com
195	icanhazip.com
218	icanhazip.com
125	icanhazip.com
187	icanhazip.com
198	icanhazip.com
201	icanhazip.com
212	icanhazip.com
59	icanhazip.com
99	icanhazip.com
103	icanhazip.com
224	icanhazip.com
227	icanhazip.com
69	icanhazip.com
96	icanhazip.com
174	icanhazip.com
84	icanhazip.com
149	icanhazip.com
155	icanhazip.com
191	icanhazip.com
230	icanhazip.com
20	icanhazip.com
55	api.ipify.org
76	api.ipify.org
158	icanhazip.com
161	icanhazip.com
183	icanhazip.com
236	icanhazip.com
80	icanhazip.com
92	icanhazip.com
135	icanhazip.com

Checks SCSI registry key(s) 3 TTPs 48 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	pnputil.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\proctorU\URL Protocol	Guardian Browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\proctorU\ = "URL:proctorU"	Guardian Browser.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\proctorU\shell\open\command	Guardian Browser.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\proctorU\shell	Guardian Browser.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\proctorU\shell\open	Guardian Browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\proctorU\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Guardian Browser.exe\" \"%1\""	Guardian Browser.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{B3029E97-7C4A-4783-9607-F0EBC5AD7690}	Guardian Browser.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\proctorU	Guardian Browser.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3328	Guardian Browser.exe
3328	Guardian Browser.exe
3328	Guardian Browser.exe
3328	Guardian Browser.exe
4312	Guardian Browser.exe
4312	Guardian Browser.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe
Token: SeShutdownPrivilege	1820	Guardian Browser.exe
Token: SeCreatePagefilePrivilege	1820	Guardian Browser.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 620	1820	Guardian Browser.exe	89
PID 1820 wrote to memory of 620	1820	Guardian Browser.exe	89
PID 620 wrote to memory of 1200	620	cmd.exe	92
PID 620 wrote to memory of 1200	620	cmd.exe	92
PID 1820 wrote to memory of 1392	1820	Guardian Browser.exe	94
PID 1820 wrote to memory of 1392	1820	Guardian Browser.exe	94
PID 1820 wrote to memory of 2376	1820	Guardian Browser.exe	95
PID 1820 wrote to memory of 2376	1820	Guardian Browser.exe	95
PID 1820 wrote to memory of 3328	1820	Guardian Browser.exe	96
PID 1820 wrote to memory of 3328	1820	Guardian Browser.exe	96
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 1996	1820	Guardian Browser.exe	97
PID 1820 wrote to memory of 3772	1820	Guardian Browser.exe	98
PID 1820 wrote to memory of 3772	1820	Guardian Browser.exe	98
PID 1820 wrote to memory of 640	1820	Guardian Browser.exe	99
PID 1820 wrote to memory of 640	1820	Guardian Browser.exe	99
PID 1820 wrote to memory of 3796	1820	Guardian Browser.exe	100
PID 1820 wrote to memory of 3796	1820	Guardian Browser.exe	100
PID 1820 wrote to memory of 4804	1820	Guardian Browser.exe	101
PID 1820 wrote to memory of 4804	1820	Guardian Browser.exe	101
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102
PID 1820 wrote to memory of 1776	1820	Guardian Browser.exe	102

C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe
"C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:1200
- C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\Guardian Browser" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Guardian Browser\Crashpad" --url=https://f.a.k/e "--annotation=_productName=Guardian Browser" --annotation=_version=1.3.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=26.1.0 --initial-client-data=0x494,0x49c,0x4a0,0x498,0x4a4,0x7ff7b58e1ef8,0x7ff7b58e1f08,0x7ff7b58e1f18
  2⤵
  PID:1392
- C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe" --type=utility --utility-sub-type=node.mojom.NodeService --lang --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Guardian Browser" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1692 --field-trial-handle=1696,i,10950266974839909047,11996517890405363152,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2376
- - C:\Windows\system32\pnputil.exe
    pnputil.exe /enum-devices /connected /class Bluetooth
    3⤵
    - Checks SCSI registry key(s)
    PID:3148
- - C:\Windows\system32\pnputil.exe
    pnputil.exe /enum-devices /connected /class Bluetooth
    3⤵
    - Checks SCSI registry key(s)
    PID:2196
- - C:\Windows\system32\pnputil.exe
    pnputil.exe /enum-devices /connected /class Bluetooth
    3⤵
    - Checks SCSI registry key(s)
    PID:228
- - C:\Windows\system32\pnputil.exe
    pnputil.exe /enum-devices /connected /class Bluetooth
    3⤵
    - Checks SCSI registry key(s)
    PID:3908
- - C:\Windows\system32\pnputil.exe
    pnputil.exe /enum-devices /connected /class Bluetooth
    3⤵
    - Checks SCSI registry key(s)
    PID:4424
- - C:\Windows\system32\pnputil.exe
    pnputil.exe /enum-devices /connected /class Bluetooth
    3⤵
    - Checks SCSI registry key(s)
    PID:4376
- - C:\Windows\system32\pnputil.exe
    pnputil.exe /enum-devices /connected /class Bluetooth
    3⤵
    - Checks SCSI registry key(s)
    PID:4944
- - C:\Windows\system32\pnputil.exe
    pnputil.exe /enum-devices /connected /class Bluetooth
    3⤵
    - Checks SCSI registry key(s)
    PID:1700
- - C:\Windows\system32\pnputil.exe
    pnputil.exe /enum-devices /connected /class Bluetooth
    3⤵
    - Checks SCSI registry key(s)
    PID:1952
- - C:\Windows\system32\pnputil.exe
    pnputil.exe /enum-devices /connected /class Bluetooth
    3⤵
    - Checks SCSI registry key(s)
    PID:4232
- - C:\Windows\system32\pnputil.exe
    pnputil.exe /enum-devices /connected /class Bluetooth
    3⤵
    - Checks SCSI registry key(s)
    PID:4404
- - C:\Windows\system32\pnputil.exe
    pnputil.exe /enum-devices /connected /class Bluetooth
    3⤵
    - Checks SCSI registry key(s)
    PID:3768
- C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe" --type=utility --utility-sub-type=node.mojom.NodeService --lang --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Guardian Browser" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1756 --field-trial-handle=1696,i,10950266974839909047,11996517890405363152,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3328
- C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Guardian Browser" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1784 --field-trial-handle=1696,i,10950266974839909047,11996517890405363152,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Guardian Browser" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2188 --field-trial-handle=1696,i,10950266974839909047,11996517890405363152,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:3772
- C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Guardian Browser" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2452 --field-trial-handle=1696,i,10950266974839909047,11996517890405363152,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:640
- C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Guardian Browser" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2688 --field-trial-handle=1696,i,10950266974839909047,11996517890405363152,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3796
- C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Guardian Browser" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3524 --field-trial-handle=1696,i,10950266974839909047,11996517890405363152,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:4804
- C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\Guardian Browser" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=3492 --field-trial-handle=1696,i,10950266974839909047,11996517890405363152,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Guardian Browser" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=3608 --field-trial-handle=1696,i,10950266974839909047,11996517890405363152,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Modifies registry class
  PID:1200
- C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Guardian Browser.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Guardian Browser" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1308 --field-trial-handle=1696,i,10950266974839909047,11996517890405363152,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1268 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:224

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x324 0x244
1⤵
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6cbb149e-b506-44e3-93b7-0db757381bc6.tmp.node

Filesize
702KB

MD5
518ce124b8b0a9b4572fee6c63d11884

SHA1
52e25f11fc6c105ba36aa0ddae261df51aea3b06

SHA256
2593a01e30d074426e44be366c1cca03b18f67eda0db950ee302b842f5c3f446

SHA512
f27a9344a3af8aa26a066b99ff69a3e1367afbac29f5ae7438be418b972770c2d9099be39bd9a4cab571813408dbfe0a15db884432b25c2a0215c8a9c244ecc6

Download Submit
C:\Users\Admin\AppData\Roaming\Guardian Browser\Network\Network Persistent State

Filesize
300B

MD5
3da095acd163a72a1485fa1547ac6e63

SHA1
47453829475989c7ade813662f9f0e3be587706e

SHA256
d66a63defc5747088b3f2325cf06620f8dbf16144fd971cbfb97fc6a31689706

SHA512
7c10a47a00d40569b062af94e1a794e5d1ce73fac236225cfa36d76ea218773f1abd1d0b1d39d1f0e9b0fe52d474498353c4a2110f4f0db4096da2957936d2fd

Download Submit
C:\Users\Admin\AppData\Roaming\Guardian Browser\Network\Network Persistent State~RFe5a324c.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Guardian Browser\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Guardian Browser\Preferences

Filesize
226B

MD5
88dd5c3129f11babf116b6345f50f5ac

SHA1
f7a702dbee373b534842e5a90f0004260203c6ca

SHA256
a86f01d20d11c72854aab22daa4685213528a764997a27da30a92b20a6a900c7

SHA512
1c4b68f96b367b191c21f417552a121ca9057f0fa86c6bf7151b984423c0ad3aec06010da80544258925b9053b40cf322c652506d9a854909b366eb1b4ec4965

Download Submit
C:\Users\Admin\AppData\Roaming\Guardian Browser\Preferences~RFe593128.TMP

Filesize
151B

MD5
4bf0b976bc6c028cb538bb8aa145266b

SHA1
4c94f0702d2689381bfdb5a40a3e4aeb33999025

SHA256
e329dcbfcbd23edb4609362090d4d7d43a38b5130826ace4ab781cb307b0bfaf

SHA512
338c11d4599407e182785f6874e1781adb2543dd4f6fc4e5dd4b3f74765096e48dc6db9e1e3b1f78e6cf94a4c8ed36bcd8abe3429a8826cf80373547995c62c7

Download Submit
C:\Users\Admin\AppData\Roaming\Guardian Browser\sentry\scope_v2.json

Filesize
9KB

MD5
01fe059571694f5c610c6b2e557702d7

SHA1
436113cc85f9a18ecde893c090ecf9447b623b91

SHA256
f8d4ad67a74eb30c2db175235a6cfb316bcb2e56c305d2598846cda56c91f825

SHA512
b54362d868ad63589a7b2ec95fdfe85309388d157e30b83805615678a076158efc4a06d9bfa5d318195fe058a428bacd61775bc80733b5728eb4f7b540bc8cf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1776-106-0x0000025D83F20000-0x0000025D8404A000-memory.dmp

Filesize
1.2MB

Download
memory/1776-111-0x0000025D83F20000-0x0000025D8404A000-memory.dmp

Filesize
1.2MB

Download
memory/1776-113-0x0000025D83F20000-0x0000025D8404A000-memory.dmp

Filesize
1.2MB

Download
memory/1776-120-0x0000025D83F20000-0x0000025D8404A000-memory.dmp

Filesize
1.2MB

Download
memory/1776-80-0x00007FFD5D630000-0x00007FFD5D631000-memory.dmp

Filesize
4KB

Download
memory/4312-140-0x0000024E24540000-0x0000024E24541000-memory.dmp

Filesize
4KB

Download
memory/4312-141-0x0000024E24540000-0x0000024E24541000-memory.dmp

Filesize
4KB

Download
memory/4312-139-0x0000024E24540000-0x0000024E24541000-memory.dmp

Filesize
4KB

Download
memory/4312-151-0x0000024E24540000-0x0000024E24541000-memory.dmp

Filesize
4KB

Download
memory/4312-150-0x0000024E24540000-0x0000024E24541000-memory.dmp

Filesize
4KB

Download
memory/4312-149-0x0000024E24540000-0x0000024E24541000-memory.dmp

Filesize
4KB

Download
memory/4312-148-0x0000024E24540000-0x0000024E24541000-memory.dmp

Filesize
4KB

Download
memory/4312-147-0x0000024E24540000-0x0000024E24541000-memory.dmp

Filesize
4KB

Download
memory/4312-146-0x0000024E24540000-0x0000024E24541000-memory.dmp

Filesize
4KB

Download
memory/4312-145-0x0000024E24540000-0x0000024E24541000-memory.dmp

Filesize
4KB

Download