29dc64e0ada4c711d0452801d3364b2f44cf4bd52337547aaa2f40744da97cd1

Resubmissions

29/06/2024, 07:53

240629-jrbzwatdqe 10

29/06/2024, 07:51

29/06/2024, 07:48

29/06/2024, 07:37

29/06/2024, 07:36

29/06/2024, 07:34

29/06/2024, 07:33

29/06/2024, 07:29

Analysis

max time kernel
141s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo
Size

284KB
MD5

1c0a02c3390b9fd77746574def84b1d1
SHA1

2e62ae7936cf5b6398308f702ddbb06427091109
SHA256

29dc64e0ada4c711d0452801d3364b2f44cf4bd52337547aaa2f40744da97cd1
SHA512

4f62bc5c219a6fa412dc06653227561b10cb32d144be733e0b2e57dea24baa17683dc09b84c57237326e6909e27f42ea7e1f70032eeff455d12423364bc433a2
SSDEEP

6144:ibRoQ02n9dH5M2vkm0y3Cl3pId9Rj9vvZJT3CqbMrhryfQNRPaCieMjAkvCJv1VZ:qRoQ02n9dH5M2vkm0y3Cl3pId9Rj9vvC

Score

5^/10

persistence privilege_escalation

Malware Config

Signatures

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641211466225078"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "233"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
556	chrome.exe
556	chrome.exe
5232	sdiagnhost.exe
5232	sdiagnhost.exe
4868	svchost.exe
4868	svchost.exe
556	chrome.exe
556	chrome.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
672	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
6112	Process not Found
6136	Process not Found
6040	Process not Found
6044	Process not Found
4428	Process not Found
5124	Process not Found
5172	Process not Found
6024	Process not Found
2948	Process not Found
5332	Process not Found
3388	Process not Found
5452	Process not Found
5464	Process not Found
2184	Process not Found
5216	Process not Found
4668	Process not Found
5688	Process not Found
5252	Process not Found
5260	Process not Found
5248	Process not Found
5220	Process not Found
5504	Process not Found
1244	Process not Found
4576	Process not Found
4860	Process not Found
2408	Process not Found
5812	Process not Found
332	Process not Found
5764	Process not Found
2272	Process not Found
5780	Process not Found
1736	Process not Found
5300	Process not Found
5284	Process not Found
5304	Process not Found
2808	Process not Found
3712	Process not Found
3444	Process not Found
5748	Process not Found
5272	Process not Found
636	Process not Found
1140	Process not Found
424	Process not Found
1732	Process not Found
2260	Process not Found
4448	Process not Found
2508	Process not Found
2584	Process not Found
940	Process not Found
1176	Process not Found
2352	Process not Found
2100	Process not Found
2244	Process not Found
4296	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeDebugPrivilege	5232	sdiagnhost.exe
Token: SeShutdownPrivilege	556	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
6020	msdt.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6000	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 4772	1176	cmd.exe	89
PID 1176 wrote to memory of 4772	1176	cmd.exe	89
PID 556 wrote to memory of 3708	556	chrome.exe	114
PID 556 wrote to memory of 3708	556	chrome.exe	114
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 184	556	chrome.exe	115
PID 556 wrote to memory of 2676	556	chrome.exe	116
PID 556 wrote to memory of 2676	556	chrome.exe	116
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117
PID 556 wrote to memory of 624	556	chrome.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo
1⤵
PID:1684

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\system32\help.exe
  help
  2⤵
  PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff85958ab58,0x7ff85958ab68,0x7ff85958ab78
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:2
  2⤵
  PID:184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:8
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2892 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4284 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:8
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:8
  2⤵
  PID:5276
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:5344
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x94,0x260,0x7ff790d5ae48,0x7ff790d5ae58,0x7ff790d5ae68
    3⤵
    PID:5360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4804 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4864 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3244 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:8
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:8
  2⤵
  PID:5828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:8
  2⤵
  PID:5936
- C:\Windows\system32\msdt.exe
  -modal "524388" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFC975.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4760 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4220 --field-trial-handle=1956,i,11022030612913617012,1483149275580683272,131072 /prefetch:1
  2⤵
  PID:1080

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4344

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5232
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5480
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
PID:3264
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
  2⤵
  PID:5848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:2964

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3951855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:6000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\SetupMetrics\20240629075227.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062907.000\NetworkDiagnostics.debugreport.xml

Filesize
73KB

MD5
b3d91eab50ea524ae34bef49d98863ea

SHA1
f72d71965ce999f81605d904a272ea4e384f6c1d

SHA256
3c917bd47dbb56d8d2f6849c35a5a4b71f76192d41c7708e9a83a1382a3a1dbd

SHA512
b31117c684b51e81a16e3577a7318b4c88fee2a8996359936216ef051179e40f879dc41d720a038a6a49e8bb97002d5555c753881e9cea6056135c1fb0320a55

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062907.000\ResultReport.xml

Filesize
36KB

MD5
c7db8606a427a28af1fcaf2c37fe316c

SHA1
b6c7866db9768def27aac1e2be22fc6cd25bc2f2

SHA256
7e3c30352acf722973ecab063cfa3bb3be037cff11fe7d4abcadcd2421585d78

SHA512
0d201e046f32e12f8d27d90d73e207536ad8d0f35c824fbe792cf901a33c8704377b2c432e32d021f97b2f95d808308df90799bf7b2bc91c1b4fdc1008dc153e

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062907.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
017c2d90cca19a0639f5f3d6faa22931

SHA1
4d96349dd1a0e1cd142a37c7e177059e7cdfab1a

SHA256
e23bab6373f641efeb0c005dfbfce10497fe7ce46336d9546dd74f623701c647

SHA512
1f1628b2363f5b86063420f9294e1d6a3f8d130f7760fb8b5660b47b614c85bf3332cfc31d6dbc7ab4a6dff37af9df309241fd6cb8a848c2c665616df39564a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0789514e49d4bdd717632db0966e7349

SHA1
fcc9f44b609d74a605cf12dae482a05c807024ae

SHA256
204756efaa549fc38af70982a5d9aedad475c6ef5b9fd4575e15721bc551078d

SHA512
7f855356735d20f12b5e56b30a5ec19c0681b4a7744ccb05b4a50b9ce78ddbc54077819db424e1bc8121cbf8b9b81b683692bb921ff3c1cf998a95d4cbe557a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
e886b8206fa1db35e9bebf670abf413f

SHA1
6780919bf5164f34b26f6a3cfa00d3f002b9dccd

SHA256
4707c2987f79582907654d2eb2a430808b3bf0ce5ed99a31e4f16b3a1191ff3f

SHA512
3f78e9809cde3f8a27100c439792d0cd7ebafc3d65476484c06061a6f77ce65ae060b535058f4d7de06d08315997a876ef2976f5515b24ea129bb0c83dd2a406

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
287KB

MD5
614f3f1f5129487453db7f5a831c6aa4

SHA1
97875b38478bc34a849ce2916cf0d788722f6e5a

SHA256
3076f22bd2664a9de4455b97e864f537f5ccd3e6263a293c97a61956d3efb107

SHA512
c34088f025dd760f0e1b0f113c18b3bd0ccf3f30916932130a78c1eca050756c68b8d1ca815e68fbb1f68d38f4a2bd6bd3f29815b7bd7690c9e84af33b9f3a43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
d8ec7cb2a0bddcdf73458b8cd6323e13

SHA1
9f3353ce074e5ac3a4b27906ad87d598321e17f6

SHA256
52b80a7372237d3e554711a0d143466ece3ef8f960d83d71dd4d1a61711241b0

SHA512
46ba572ed96403fb90bba15fc02e34ed1aa7d4e80966fb07c7353ed7f43aeaac3df9e0c15995dac6d96dce7cadae9d0fd9b8457ce946c8cf79373cf6d9229958

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58f085.TMP

Filesize
89KB

MD5
60b7c1a99dd0303e7b66068124e82d45

SHA1
2929e5f27ddd12f1a7007e0a2e56019dddee2638

SHA256
1994b869aed9de6598719ca3eb6180f6584d52f6f1a94774801aa6877ff3bd1a

SHA512
c42193b9c1ea4ec6fdd43b6511ce75deed444f7d0401afb152dfa8d5549c195017ed5b3e4a9e0c9ecd598e09ecfc598aeeac7e34bf09d8d8438f333053e13f0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\eac9979c-38a5-42dc-a72b-a3f81a911098.tmp

Filesize
93KB

MD5
d333e2fe56ec06fc38b3c81ad2fba1ff

SHA1
cdc14f64342c3dd4f0adfb01711471c12a801019

SHA256
7393a7e0712dced338a71bf169c9aa57aa198401294fde906e0667c6ced99a2a

SHA512
0dbf76d535f615241ebf03bdc455560223194114befb2836b3bd5d91a992ed7d3a1fc295479a896ee981d6ab35155c48bdecafb1c3759434a970848d39574230

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFC975.tmp

Filesize
3KB

MD5
e310e5578a38aa0803fe501af84e061d

SHA1
ec4e52893b7da842778df8d6658b356de731249b

SHA256
904b48d7f7c6f079ddf5453bfe05bd98118a7e69d0bba17a75f2209a7a5389bd

SHA512
36465ac3ee139947b6623b0efc85cbf66dc8640dbb41abb613057b7d4b48e816bb67cc4893bd994f4f81d2978397f0a8361b2300eb5fb38cb0dcf01a546bceb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wjyckl0z.zsa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\TEMP\SDIAG_e03c8466-b244-48b5-abbe-5c6c8b3f9786\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_e03c8466-b244-48b5-abbe-5c6c8b3f9786\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_e03c8466-b244-48b5-abbe-5c6c8b3f9786\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_e03c8466-b244-48b5-abbe-5c6c8b3f9786\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_e03c8466-b244-48b5-abbe-5c6c8b3f9786\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_e03c8466-b244-48b5-abbe-5c6c8b3f9786\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_e03c8466-b244-48b5-abbe-5c6c8b3f9786\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
memory/4868-456-0x000001EAB2EE0000-0x000001EAB2EE1000-memory.dmp

Filesize
4KB

Download
memory/4868-453-0x000001EAB2D70000-0x000001EAB2D80000-memory.dmp

Filesize
64KB

Download
memory/4868-448-0x000001EAB2D20000-0x000001EAB2D30000-memory.dmp

Filesize
64KB

Download
memory/5232-438-0x0000024FACA50000-0x0000024FACA72000-memory.dmp

Filesize
136KB

Download