hxxps://store[.]steampowered[.]com/

Analysis

max time kernel
1799s
max time network
1689s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
11/06/2024, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://store.steampowered.com/

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-3001105534-2705918504-2956618779-1000_StartupInfo3.xml	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3001105534-2705918504-2956618779-1000_UserData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{040cf873-99a5-4e79-a423-6e139a19581c}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{040cf873-99a5-4e79-a423-6e139a19581c}\snapshot.etl	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133625906470030317"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4016	chrome.exe
4016	chrome.exe
5524	sdiagnhost.exe
5980	svchost.exe
5980	svchost.exe
5980	svchost.exe
5980	svchost.exe
972	chrome.exe
972	chrome.exe
5980	svchost.exe
5980	svchost.exe
5980	svchost.exe
5980	svchost.exe
5980	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
680	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeDebugPrivilege	5524	sdiagnhost.exe
Token: SeShutdownPrivilege	4016	chrome.exe
Token: SeCreatePagefilePrivilege	4016	chrome.exe
Token: SeShutdownPrivilege	4016	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
1772	msdt.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 4000	4016	chrome.exe	79
PID 4016 wrote to memory of 4000	4016	chrome.exe	79
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4864	4016	chrome.exe	81
PID 4016 wrote to memory of 4476	4016	chrome.exe	82
PID 4016 wrote to memory of 4476	4016	chrome.exe	82
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83
PID 4016 wrote to memory of 2292	4016	chrome.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://store.steampowered.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0x48,0x10c,0x7ff897b3ab58,0x7ff897b3ab68,0x7ff897b3ab78
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:2
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2044 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4256 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4444 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4408 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4528 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4012 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4520 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3400 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:8
  2⤵
  PID:3488
- C:\Windows\system32\msdt.exe
  -modal "459244" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFE9A4.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1480 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5000 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:1
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1492 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4756 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4568 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:1
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1284 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=1588 --field-trial-handle=1748,i,11417494972749554181,2190191805635434020,131072 /prefetch:1
  2⤵
  PID:4992

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4320

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5524
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:5712
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:4528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:6012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Modifies data under HKEY_USERS
PID:3596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061114.000\NetworkDiagnostics.debugreport.xml

Filesize
71KB

MD5
d8dae8c46cb80cc5937e84175fd79d95

SHA1
d3b3b8c884580cd4540c2d8c3ed4577acf2d76c7

SHA256
d9788f31aaa42f93719c2d9b705e488cd39ce174253fb684941d33d6ba791df0

SHA512
f50cc4e41541d237ad5279a722876cef621e8ece2340401acb6454ab57607a03f02871abd11a60122f2ae72888447bb05357250b0c8125e1abda5df26596dde7

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061114.000\ResultReport.xml

Filesize
36KB

MD5
10b27992d3318de7ef2cb301411d53a0

SHA1
d432f851a25425c07ff558b287b9bbd0ad81806b

SHA256
84547901f7d60fd5cfed745443e4998e9672154c5c741735c19ef6f95831d4b4

SHA512
d95a008a7c8bb5370c840f8c73c08991a0dad89c756c939f2985c437642d7783a3ffc3989a91e14467e703983e01ba8199ebc3715906641eb0368776c5916add

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061114.000\results.xsl

Filesize
47KB

MD5
90df783c6d95859f3a420cb6af1bafe1

SHA1
3fe1e63ca5efc0822fc3a4ae862557238aa22f78

SHA256
06db605b5969c93747313e6409ea84bdd8b7e1731b7e6e3656329d77bcf51093

SHA512
e5dcbb7d8f42eabf42966fccee11c3d3e3f965ecc7a4d9e4ecd0382a31c4e8afea931564b1c6931f6d7e6b3650dc01a4a1971e317dab6c1f03932c6b6b7d399f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4f727667ed2d5e6d84b77391e5d47b49

SHA1
0eb879613c896617a139b81ad6cd2adf03c21fde

SHA256
98f34acecf10c822c1a50aff02150d9345902ffc9e0ee996148cc8d35b802438

SHA512
d33250993f2e33e6eff429fa8d35a931665d87cbe2930d24cf98988f4bc1b78b97cb712a4f825a5d34f86659121fcb42856440dea9352e3024e78d4980a3ec7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
202179ab392e74e2442e5158fc53cb05

SHA1
107160ddf76f373490ddc053e6167064dbe8e4d2

SHA256
7fd166793b1e869efdb9d90bd21d75ae98face2cbe16aba30f0ab0837486f686

SHA512
005208afdf784e23331f37d34476a7ccc86fd81b457dd876f7fa5a22b320ccbeccae7f002da15f161525c47238af16a89a66dd996878f36c05f18e1137cf3fa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
a05e92f880a96398c67e743e4fdb3dd9

SHA1
e9b83a9477617858408c8dda19479eb5dc7377f6

SHA256
c68ccc136319a0b06adbe3723ba9a1c6d90fdaa3c57460ac43041f9d4ad99d94

SHA512
a3bd1ce098fd61e3b917f3a5535e22e4b69010d46117ab9f46d200c9da5f9061ccde6e8d16286ca353e3aeaf164fd6dc5d15038c92813878d64d7e027d846174

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
4d3671c10e409b8629f6c0446ef5572c

SHA1
c8cd570d4325bf278b7297d7158b0bf4e572ca9e

SHA256
d41f21e5120e5468b6f58a92e843d68d366604520a4d64e2ec77ee18d3247435

SHA512
73b22050c78fafae67e50c4f3082b7ecb3c1af7df684064b2bf747fa2ee9d79eb5e627fdaa608ce17101bab6fc83797c1451becda92d133ac096fc779b1a11cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
03c3e010515aaff2a01c2c89a1e587f5

SHA1
5d0d51ca63e90a497ca12ec39f59467d761da80b

SHA256
cb911b64bfed1affa572c6f2f9e1d02747436575696f3c5ba6d640016fe07bdf

SHA512
0430b1b30d81f284807bda8a8fd9edae7d9c0be0721ed0d963ddfeafd12658e32541cf43f2f839bacbd83d20f617dd74bb0540523c1e96543907b9813f67a1ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
84KB

MD5
6bb3028d34b4e5da0a1f1a9fe02c13e0

SHA1
7c35ec51f2a81a42b1eb84edb8a36b2a4fda7f76

SHA256
3577fc9441c256d6162b17369b6f05e1160a96bbd0cb88055bb296d39a6d27a8

SHA512
a7094b364a479312c2c72d516ae0658448af73c038f99e08cd28be17a1c8c75185e021cf66fe870a10fff9216af6acbbff5cadb99f7bb26d6b069ea9c1679425

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5810c4.TMP

Filesize
82KB

MD5
663e071e816948bc4031b004d0447acc

SHA1
908c2b61beb7bdc7da2d07850ac2d4c37add920f

SHA256
7a8655f1f50da4fe8da7d3305d30174ba0817fdf9b778b0bfa735c905ada4333

SHA512
b9cc287deda6759c937db8eb5656be5dcae0a1779e44521e1a1df3ec1a54c004acfc4ff9c878b1f1f2aa714c3644382d135113796a710aa51f073950ed311e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFE9A4.tmp

Filesize
3KB

MD5
e310e5578a38aa0803fe501af84e061d

SHA1
ec4e52893b7da842778df8d6658b356de731249b

SHA256
904b48d7f7c6f079ddf5453bfe05bd98118a7e69d0bba17a75f2209a7a5389bd

SHA512
36465ac3ee139947b6623b0efc85cbf66dc8640dbb41abb613057b7d4b48e816bb67cc4893bd994f4f81d2978397f0a8361b2300eb5fb38cb0dcf01a546bceb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lr3gyede.fmi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\TEMP\SDIAG_4fc9c7a8-b511-4fcb-954a-27d59fab5d00\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_4fc9c7a8-b511-4fcb-954a-27d59fab5d00\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_4fc9c7a8-b511-4fcb-954a-27d59fab5d00\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_4fc9c7a8-b511-4fcb-954a-27d59fab5d00\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_4fc9c7a8-b511-4fcb-954a-27d59fab5d00\en-US\LocalizationData.psd1

Filesize
5KB

MD5
91f545459be2ff513b8d98c7831b8e54

SHA1
499e4aa76fc21540796c75ba5a6a47980ff1bc21

SHA256
1ccd68e58ead16d22a6385bb6bce0e2377ed573387bdafac3f72b62264d238ff

SHA512
469571a337120885ee57e0c73a3954d0280fa813e11709ee792285c046f6ddaf9be5583e475e627ea5f34e8e6fb723a4681289312f0e51dc8e9894492407b911

Download Submit
C:\Windows\Temp\SDIAG_4fc9c7a8-b511-4fcb-954a-27d59fab5d00\DiagPackage.dll

Filesize
488KB

MD5
ec287e627bf07521b8b443e5d7836c92

SHA1
02595dde2bd98326d8608ee3ddabc481ddc39c3d

SHA256
35fa9f66ed386ee70cb28ec6e03a3b4848e3ae11c8375ba3b17b26d35bd5f694

SHA512
8465ae3ca6a4355888eecedda59d83806faf2682431f571185c31fb8a745f2ef4b26479f07aaf2693cd83f2d0526a1897a11c90a1f484a72f1e5965b72de9903

Download Submit
C:\Windows\Temp\SDIAG_4fc9c7a8-b511-4fcb-954a-27d59fab5d00\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44b3399345bc836153df1024fa0a81e1

SHA1
ce979bfdc914c284a9a15c4d0f9f18db4d984cdd

SHA256
502abf2efedb7f76147a95dc0755723a070cdc3b2381f1860313fd5f01c4fb4d

SHA512
a49ba1a579eedca2356f8a4df94b1c273e483ceace93c617cddee77f66e90682836c77cea58047320b2c2f1d0e23ee7efa3d8af71e8ee864faef7e68f233bec4

Download Submit
memory/5524-525-0x00007FF8841A0000-0x00007FF884C62000-memory.dmp

Filesize
10.8MB

Download
memory/5524-427-0x00007FF8841A0000-0x00007FF884C62000-memory.dmp

Filesize
10.8MB

Download
memory/5524-426-0x000001F665BA0000-0x000001F665BC2000-memory.dmp

Filesize
136KB

Download
memory/5524-417-0x00007FF8841A3000-0x00007FF8841A5000-memory.dmp

Filesize
8KB

Download
memory/5980-463-0x0000022EBC390000-0x0000022EBC391000-memory.dmp

Filesize
4KB

Download
memory/5980-459-0x0000022EB6F00000-0x0000022EB6F10000-memory.dmp

Filesize
64KB

Download
memory/5980-456-0x0000022EB67A0000-0x0000022EB67B0000-memory.dmp

Filesize
64KB

Download
memory/5980-562-0x0000022EBC4B0000-0x0000022EBC4B1000-memory.dmp

Filesize
4KB

Download
memory/5980-563-0x0000022EBC4A0000-0x0000022EBC4A1000-memory.dmp

Filesize
4KB

Download
memory/5980-565-0x0000022EBC3A0000-0x0000022EBC3A1000-memory.dmp

Filesize
4KB

Download
memory/5980-566-0x0000022EBC390000-0x0000022EBC391000-memory.dmp

Filesize
4KB

Download
memory/5980-568-0x0000022EBC390000-0x0000022EBC391000-memory.dmp

Filesize
4KB

Download
memory/5980-571-0x0000022EB6FA0000-0x0000022EB6FA1000-memory.dmp

Filesize
4KB

Download