ed6566cd8828d0d9a7bd2bd7731df7703977d9b18fa7ede31bb8b1835b12da78

Resubmissions

22-05-2024 12:10

240522-pb7phahb83 10

12-05-2024 07:01

240512-htqqdadg4w 10

Analysis

max time kernel
146s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
12-05-2024 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

femordial.dll
Size

36.1MB
MD5

38bf550f8d73ea9791d7778d9b6b44a8
SHA1

67bf70a4d78f9f18b1af30cd9c85c632b52188c1
SHA256

ed6566cd8828d0d9a7bd2bd7731df7703977d9b18fa7ede31bb8b1835b12da78
SHA512

cfff6d55b90a42be22d09aaf30eed718b71fff8bfddab2404e968359a18ab8aec679a4ca85e144d3527602fd515a03724e897addd68865e796b0a387f582fd7f
SSDEEP

393216:g4S82OrtN+zJkGsF20dH5ZXtpKjzw1QxgvLqmNAmjpy:7OOrtN+zJkGsF2OZZXuv4GcLjp

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

SystemSettingsAdminFlows.exe

description ioc process

File opened (read-only) \??\F: SystemSettingsAdminFlows.exe

description	ioc	process
File opened (read-only)	\??\F:	SystemSettingsAdminFlows.exe

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4448 5028 WerFault.exe rundll32.exe
2848 5028 WerFault.exe rundll32.exe

pid	pid_target	process	target process
4448	5028	WerFault.exe	rundll32.exe
2848	5028	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeSearchHost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

SearchHost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133599709973011755"	chrome.exe

Modifies registry class 41 IoCs

Processes:

SearchHost.exeMiniSearchHost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1097"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "11242"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "18346"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "27770"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1825"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1064"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "6193"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8778"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1064"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "6193"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "16277"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1825"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "27770"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1825"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1097"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "11242"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8778"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "16277"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "16277"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "6193"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "18346"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "27770"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1097"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1064"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "11242"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8778"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "18346"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

3056 chrome.exe
3056 chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

Processes:

chrome.exe

pid	process
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeCreatePagefilePrivilege	3056	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

TextInputHost.exeMiniSearchHost.exeSearchHost.exeSystemSettingsAdminFlows.exe

pid process

3364 TextInputHost.exe
3364 TextInputHost.exe
3364 TextInputHost.exe
6112 MiniSearchHost.exe
912 SearchHost.exe
5648 SystemSettingsAdminFlows.exe

pid	process
3364	TextInputHost.exe
3364	TextInputHost.exe
3364	TextInputHost.exe
6112	MiniSearchHost.exe
912	SearchHost.exe
5648	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exechrome.exe

description	pid	process	target process
PID 1220 wrote to memory of 5028	1220	rundll32.exe	rundll32.exe
PID 1220 wrote to memory of 5028	1220	rundll32.exe	rundll32.exe
PID 1220 wrote to memory of 5028	1220	rundll32.exe	rundll32.exe
PID 3056 wrote to memory of 1004	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1004	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 3604	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 4844	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 4844	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe
PID 3056 wrote to memory of 1388	3056	chrome.exe	chrome.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\femordial.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\femordial.dll,#1
  2⤵
  PID:5028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 484
    3⤵
    - Program crash
    PID:4448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 432
    3⤵
    - Program crash
    PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5028 -ip 5028
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5028 -ip 5028
1⤵
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xe8,0x10c,0x7ff9b183ab58,0x7ff9b183ab68,0x7ff9b183ab78
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:2
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3228 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3516 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4396 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4628 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4764 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3480 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3424 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4340 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3468 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3460 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2848 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5164 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5360 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5496 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5692 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4176 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=4892 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6024 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6172 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=6320 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=6680 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=6544 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=6968 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=7128 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6916 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=7424 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=7584 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=7108 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=7852 --field-trial-handle=1836,i,10409627620164363242,8103749438002603750,131072 /prefetch:1
  2⤵
  PID:6064

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1076

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3364

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6112

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:6084

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5580

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:5492

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:5648

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4116

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031

Filesize
64KB

MD5
475b50689dfe5ac600b3de04ace088ea

SHA1
fbb328c285b985d98e436e1a2025dc2ef814f08d

SHA256
bb3580399452f7fc44aa591302242cc83e1a1c5daad646fcc2d1d3e81b9b7bc1

SHA512
55bef283c23fe00a25ab86c8e62df455236bb4a114d72da8986d0ab51b46567f195d35f94de1e133ae61e95d121de99938aa02e80abfd38c3c841fde9214c381

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003b

Filesize
19KB

MD5
870237c2b6be011684ca753277ae15fc

SHA1
19a2186ff4358f09afb3dff4330f57c2ae5efbd1

SHA256
17fc0d18ee50f297234ac524b495f01b4d4d34cd19b3316bcebbac930a522b3f

SHA512
d4c615d2b80dc1ad5509e7f528fc03f2d5286dbc55ebd0ebe573fc321a1c93e4a710e1c49a24c4d9858f1d0962913b20469b7aefbfd2332c5e69a66d8f271eb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
04395e8f9cb4d92d74cac533a540198d

SHA1
8dc9556f21daf0ffd3a0797ca229490a716845a8

SHA256
b38eb3bc976dc6cf3c7626a2160da0061112238fd477beb8c9a9ec36cc9b31c2

SHA512
1d6e71e5b392a1a7c3f9a6ba47b4882a5ea4e839b1aa27b3ff22ab16d14d951416447c9df36eab550ccfbc92efcce8d76bf8ba23be723dc26948cdaba78c09ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2f00e76bdbb0a79a2b9852a1d82aac79

SHA1
617701f35573d7e03a34647b1b672d83770c2de7

SHA256
1dac88b7b96c57062166c963831eeb895175adc9e7b42b6c58ca32db48e45e86

SHA512
005a032aef731be7ac2c459f45c385038c18c8bc822a112788f4647a7782a2b4848da44f79c409b9326ccadc6ec8d142b614f79056bf2c48d078093a0b6f6a2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
22ea7d496cb3328bd8eb903ac4674e14

SHA1
db1329c62a9f28e70615cdfd74d2aee4df14c908

SHA256
da84b47f20244208626e3d7d0a78e60ba5a85ac5ae7a4a5167870705b4a03710

SHA512
d38a09a650d4588cb646320891cfef43307bdd84db66c115e6bfd6e78aa5f701fe82bcf6d0dbce8f4e23d366e5aa9e77847729a89db626a402de57d0e85b94cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
0663665117e116b70db9f7ad7c943143

SHA1
623e29295323d69e69d6547a2fd52402b32d14f1

SHA256
2cd49ff23818cdcb9655c5a46f56457c9125a4102ecc3b2a59e423f468d6bd67

SHA512
55c72b21ae73e0c0b9eb089c7089293f35f2ebf46292ab93dffe82009b68adb80bb72d38954d037432f74ce321c5e8424a7d79e514f49b6c5c73be8957dd180d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
2509074aea255b19a8b8912966a102e9

SHA1
cedafe456e2192fd4e93e51630224eb1658b7dd7

SHA256
ec0e670427770733a43a0f6fa68e683b18737e399f338bd8bc7d23e257193917

SHA512
815ad0abb55c0fa7b89fafc8d67b7e28730ec544a308b5151993c7749d74b7d9775ec2b94350e12bf6fd7197e0a2a73de5771c177c6ba1e9f190e704fa875586

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
9957e8b23eef18f3c5160d6b384a0912

SHA1
1abe1b47aee318a8b601f16df196b4964c18f77d

SHA256
475639ee1fd12329bcbedce1620cc9bda0c3a2faf5622c148ebefa8a16765739

SHA512
61a2cd1b090e15469652077f46abb4498e87b261a5f9444ffaa8a9dbd0e56c54f7c5eb518ebbaa5a346a53345178ffee9bce38ff5ecf52d228ee1e98764aa4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
467d616b1077173ddf7d52f5ed909d98

SHA1
78ce718673e793b610a6448b8ccd4c997bacb00f

SHA256
79fed90c5cf4ba2d3aa16745884dbbf10454e8ccfc2758aa4d0bd4493c9523a2

SHA512
31eca787595ee1557db629643f6318e56e04fdbd61f2fc518153c68450c5df36846b498706893b9f33a5b7aaff20dad46cb7697bdca585bea1eee9765c963a9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
7a9a4018c0b69a72c546823605e99b35

SHA1
3bf834abe974f576fb29b972fdd54c48647bf48a

SHA256
2f08faaa65e1421d927ce01ba8ffcd70df630103a71a27d7c7108f1509c57a73

SHA512
ef70a2c8692fb639587e1f6af5230c18f1faab8b3eda5e01b322d7c7a240b1fd38855ae53d2b27d0dab073a08dacc9a20c4e17384c71c35e0873b1a731b8f884

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
6630c2c021dedf371a96e6cf0d8e7b72

SHA1
4daeea6b6732a7623b0659489fa2081520c135b0

SHA256
e494fd6ab6f77a02a7bdcc0d17cc517c36e049e42bdd1f22d21ccc4ffac435f4

SHA512
08f329eec66ae988ef5d79f1712de04e15dbc37b24b1dfe6be458270f4cd293c04d857497031618d7a35f736e624158228455115c4836c9add521e25b3782dbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
b1b4f93693fe3d7270e75ec37f97d21a

SHA1
323a3e903421b19682478559177676b22d4f6089

SHA256
c129f289974a48ecb3e216fbd0dd6e32f5fb018ccdcd789ccb672e00c7542863

SHA512
a95ee3268e7e937d3da2c35779ab722df7361bd04595cf7f1ce297092856a7434b3751f80a8f271cce71885d1564e734d2f9cd2257e05182e6299df86d488497

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4d02fb90764fd039307eea01b53d32aa

SHA1
7c86e898b69f6ea85c61a894881a76a8e35d11a8

SHA256
af6af1c3e8147e10a5e7cacdd7fcac461f9fb7dff0faed1bf0eb9722f36705dd

SHA512
798fcd0eb40044620571e415c6e907a5b9d49bb6a7f7e7cd6c9213da1a0f8484e698d8921c01c111a1ba5af55c904f78af374aaeafa3de640b2ccb33d8e6fcc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
449f120628697c6e806ad938e2177f05

SHA1
95c7188fc17387a9b21d0280ee42937f947d6117

SHA256
26176265919a60fb271471274bb43bb37634421f2e4f4d40099ed810ded13656

SHA512
6d5bf0675fbb3beadf504940d35dd5567e7e9b9af9feb3afbc001808f4501e2cff71bbe0be8990697d4548669af97d2095c67ffcd463b38b9590c2394dfef7a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
83fc62355b8dd0a520ba8b6746d9618c

SHA1
7a67b56e249a532c35b2b0a78493fb40291ab0f2

SHA256
4e0ecf9e1e0c7768c6ba6b678eb32f0cd04a2d55941ccfa62c1661926a788894

SHA512
5f931f163293e195d32195554bf80da23f0c6357a3b28f0c1848ac71ace8e1b79521087ac0828a75c7cbcd5fe7f0862f5ef664a565c140f3c5d601c298f09e05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4eab9492efa51bcbcfac80c0abcda05f

SHA1
12aa215971ec4611aaf1d2c786c2bd6f77b78eae

SHA256
cfd7e530d186d85a69251a7173e8d11d1fc6c8ad352b0793983d5474aca9ba6e

SHA512
a328a2521c96f84f9e08d564cf49d7ea7350f29e2bb0ee1a3ef283241dc497b2f43e056b39dbb3969616628aa939808121bbb50bdab90b4d0196570d39f52e2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2eaae6f21444e81a17ec36d946cdc820

SHA1
0e825ab55a60597438be04062ac7bfacb5f44a61

SHA256
a4192a9791af3e8af4da9acf0b5153a6ac66fdecf1868d906ef5f9e5aef82a67

SHA512
ac98f2df6235fcd0ad7c9a27b406d4cb33e608d4b6eb284404fd3249daa2e54a8ab08a5ba7521c21b96a68af18e9b2122029a78c606f1caeaf165888c062faca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
e2d15215fb980b38c279ce79988dc195

SHA1
a5816f489a5d59fee7203c14ee0b9685b0c04811

SHA256
f1b3804ad06a7318beac3dda4763fed1f4e5661040eda497bed0763c9179819a

SHA512
38299cd43293797a12445b91af8de7723eac88e85ad44792602c18448ff3f7b360bbb6f5343fe983a9f5b3da1820645f9e30fc9e58749aa67e4711e183248770

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
d7df4bc3f1f6936ac8427d970052565a

SHA1
2258841fd451eddb8602395daffd332872462947

SHA256
a3ae0596bd177abd0103b9ab0accda31b0fd7e441e4ef79536d22e3dd1574d39

SHA512
53921652304d776313de170fcb8fb3b683de0b78f28f64dfb5ff2045ee996d802150a09fac5a65cca2cbac02aaa8fdd8338a0232c504492c2a14bfbf4aa19623

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
14ad18c68cb31789a359606f55df5e13

SHA1
16cf5cd006c122718b5490e924f34b6672f1cf0f

SHA256
feb5298474fc3cfcd3fa173920d57cbd5450521135676bed57eecab16e000d10

SHA512
0634c017bb48b7c0e4c500d0e3fedb03c56d0673f6bb3df4f155c289f56a5cca2b43408710ac1c816402dafc24a28ab4d4fe7b929acafbab1b4badb1a3d6a78e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
46463d3e6b2a975d58f841bbd1f1242e

SHA1
9717c5c5ed1ce89ab484b42ce1449cf03ccc2c84

SHA256
961e443fb9140fece1b953533c0c2eeebccf0bba2f301a7291d6afbe2f9e139c

SHA512
7fdd879f6b0b640fe3315442e9d0e75a9f1956a435765d896a7c90385672c05f22afc459b458b0d4f6880c8062e58dbb183eb42345e527537da7805455657fee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
b10d041c3c80991a66ed8b1acad419a4

SHA1
2b4e2a91e9e5c578e4417751933de6b6746cbe19

SHA256
269d4a7ec7da22b1bc62b3781d6b98363e8ecf45f7dffad75bc17a02cd2c2279

SHA512
8e4b42003a918d4722a670b72ef9b35762c6c2782e5d362601982c1925a11b5e112cf47547b11f38ce9a16c55f353476546a3b22556c602eee0c94d04203832e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
83KB

MD5
f4c3e0bfa5fb612bbca53ea80d518662

SHA1
1f4ef917971e6d9a6e2ffcdb794224ef87904d4b

SHA256
b697bc51f27e914098a5e647296b725e30cef2333b309065fc54412625d541a8

SHA512
eab0c21966d65e21015deecf535d3306ffb30bf10add9835875f39b60079283e55f432cafa5957ef3764f16b64b00fc2e7d5e0cdf170a5c7c09e7cbaafee5774

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe582611.TMP

Filesize
82KB

MD5
d34f99274f77244d9f53222e88cdd1f5

SHA1
c34a3bcf2428a45ed9d25b8a4cfd465a66c2a375

SHA256
a0642d440c0e2d6ed217e1e31eb79deab09a428ddd8b20b71b064ffe957d0b3b

SHA512
e1c8cdf0fc7bd692a29ad6d38cfd791e569ee2e10387505265f40b7b22b1c2355f77dbf26b6199118e890eaa4fb8217a8518507bc600b4e2d3f5480a7c9bf748

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DX2PTHLA\www.bing[1].xml

Filesize
20KB

MD5
7e1661f9f508bc5e735352ebd509ecf9

SHA1
776bb3422c9ee8e77812364d2d8f849283be82cc

SHA256
5c28629ab6517d486cd8fef6a8eeb181cff769ff710167a46a0f2e3e4212c42a

SHA512
e0c75eb12ecc7663d993d5cbbfa941d11111858324f5099f7684130715345c505fe266787a8a4afdda331907ba3135a6f8701ac92b6738dde8599269d7373c24

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
bca013349ea9cbfeae8a6a2fcfc0a968

SHA1
e6e8031627dd6efee732345a879d37bb8f5bbb62

SHA256
72996bfeb0e86a9816bd2521deb29d43117b8ea2dd12e81e002222131a40b672

SHA512
6adc3a35c751ee3aec51ffc33c00113e5c795b7925ea31cd9f412b386a9e1fec54b89a665678ce891e6877f01f981aa5c1c19a24fc9ee8687e8b72a39b4478e1

Download Submit
\??\pipe\crashpad_3056_ZURHMBCTUDTLXMEQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/912-692-0x0000023C128F0000-0x0000023C12910000-memory.dmp

Filesize
128KB

Download
memory/912-691-0x0000023C120F0000-0x0000023C12110000-memory.dmp

Filesize
128KB

Download
memory/912-766-0x0000023C13A00000-0x0000023C13A20000-memory.dmp

Filesize
128KB

Download
memory/912-880-0x0000023C18E10000-0x0000023C18F10000-memory.dmp

Filesize
1024KB

Download
memory/912-690-0x0000023C129B0000-0x0000023C129D0000-memory.dmp

Filesize
128KB

Download
memory/912-655-0x0000023C129D0000-0x0000023C12AD0000-memory.dmp

Filesize
1024KB

Download
memory/912-643-0x0000023C11F10000-0x0000023C11F30000-memory.dmp

Filesize
128KB

Download
memory/912-642-0x0000023BFE9E0000-0x0000023BFEAE0000-memory.dmp

Filesize
1024KB

Download
memory/912-610-0x0000023BFE9E0000-0x0000023BFEAE0000-memory.dmp

Filesize
1024KB

Download