e3284abb57ff7695d131e16e95b5632b525b8cf745bfea46a2b4adb4780ab5a7

General

Target

DenyWait.dib
Size

1.5MB
MD5

335c2b0d8bb847297556a0b9bac97cc8
SHA1

21a2606273033477c6f6ad9e49b40160cf43e36d
SHA256

e3284abb57ff7695d131e16e95b5632b525b8cf745bfea46a2b4adb4780ab5a7
SHA512

12479651b634b9491a67125027e6640f715043c772de21666c546970096d38769101aa29bcbbc5d472c0d505a41e180c1c39da62112b173f3ab2a3710d34010a
SSDEEP

24576:SzK5qX5lzedoiBlCnVfhmeMqTM74Lk0+wYeti2dhGi0MUgFBZHHA:SrodoCCnVp/f1+/e5rGi08ZnA

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633613041756383"	chrome.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

2888 chrome.exe
2888 chrome.exe
2888 chrome.exe
2888 chrome.exe
1384 chrome.exe
1384 chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

chrome.exe

pid	process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

2088 OpenWith.exe

pid	process
2088	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2888 wrote to memory of 1168	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1168	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2208	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2316	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2316	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 1088	2888	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\DenyWait.dib
1⤵
- Modifies registry class
PID:2428

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc959ab58,0x7ffcc959ab68,0x7ffcc959ab78
2⤵
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1544 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:2
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:8
2⤵
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:8
2⤵
PID:1088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:1
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:1
2⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4252 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:1
2⤵
PID:2564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:8
2⤵
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:8
2⤵
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:8
2⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:8
2⤵
PID:1872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:8
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=216 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4540 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:1
2⤵
PID:2736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4788 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:1
2⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5112 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:1
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3464 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:1
2⤵
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4400 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:1
2⤵
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1452 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:1
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4356 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:1
2⤵
PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3396 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:1
2⤵
PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=1464 --field-trial-handle=1840,i,11689435948613532478,8565597892895250766,131072 /prefetch:1
2⤵
PID:3492

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3236

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4860

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:3976

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3124

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
fcdd61de50f0b01b5ffd42acfd8b4284

SHA1
0537096b9b06bf5c11e99752d9e965e99e962236

SHA256
7f0836627dda1deb38d8c755ebb31b18b14d6e025ab6bb4a0cb250a51cd7f222

SHA512
04d4d167035787210b6f374a5740752072e357c1873b6082810d1a62577a52493c579cb3277a072013cfb57a7e6e6d0c04478b7d4f3480650ebe5b258db77a3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
015c4aee42e970372e286ab101d50b1e

SHA1
6159b9d0efce0a743acb20227d63c5edd2fe7b9b

SHA256
5f010aa8d3ca88b81911b90ab14233f77f5e9662183219ca720cc7ac79be2f8e

SHA512
a0c86096d50e05e8686f4ba3921cd8464fdd955090c5d9da8ec5718a3fb77bc586d423166a912852b72557d08d2526f3e8eb2668493d93db3ead54e4faaa0789

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
5fb08ff3858d7471d699952227bd919a

SHA1
27e27ce2e12d2db7f189ed00c63f35ad3e4fcf2a

SHA256
51bf20e571fa0535acf45898361b701dfeb9c83bb9a6bb53fd301038469766d0

SHA512
15ee085e9bb757de512d1d1f23d62b8ffa35ffb3e344a6fcdc30e04ba87e042dcd6dddb8a608da874f8b8b2268b06e8cc6d79d78ccc3e9eba457dd34d9ce4f2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
86KB

MD5
31ce3a3d24e64b5b5d2806437bd381cb

SHA1
40f69c1a5464205dad8de529ceff00253345394d

SHA256
9badf49e064f4c4e5d189dcca87c464d37e43dad63835e861421ed0bde636e21

SHA512
c5a6c5de3c4f27ef09a7bc8ae31e3985d28bddc5d3cbf29937f9664e713e1c9474164044025bf166c244d0dc3b4f349f5d520bccde31d0131bb8c3b77350c01f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584522.TMP
Filesize
83KB

MD5
35dfe32482d121085ea8f239b120a491

SHA1
5a8ff641bbeba961d4484a40846d28cbb07d12da

SHA256
8dc8eb42ff7fe17fcc57b1d586dd001c1b37c0c9367ff31b63b952dc570835f3

SHA512
ba2515060b5690ffd55426e5954bc42cdc6250d612888614af7bcf30bfa485944aad8e4affaf6efbfa66bb7c97edcabc49c9aed09f621ea6af86fc82fc34237d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-6-20.1253.1580.1.odl
Filesize
706B

MD5
c36b7c2a9c026f1deff5fcf37096a159

SHA1
2b9bc431b71c6650c6e35cda76840564a74b5241

SHA256
48df12a2aebe733342db3b917406fc4bb14520540615e2ffb5ffffca502a43c3

SHA512
8769406158edf2dd2ac6fe1efd4cf06abf9eb6ecd42eb95598ab1664e6e5e4dc1ae1829088d06559e2b6c194f13141bc097ccdc88e834e28b5bde1756b0ebac5

Download Submit
\??\pipe\crashpad_2888_GYTVDKDNKGXMNCDF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads