hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

07-07-2024 19:27

240707-x6hb4ayhre 10

07-07-2024 19:21

240707-x21ymsyhna 10

07-07-2024 19:18

240707-x1a1tsxaqr 4

Analysis

max time kernel
87s
max time network
74s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
07-07-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133648536119233114"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1056 chrome.exe
1056 chrome.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
660

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	firefox.exe

pid
4
4
4
4
4
660

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

chrome.exe

pid	process
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exefirefox.exe

description	pid	process
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeShutdownPrivilege	1056	chrome.exe
Token: SeCreatePagefilePrivilege	1056	chrome.exe
Token: SeDebugPrivilege	3760	firefox.exe
Token: SeDebugPrivilege	3760	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

chrome.exefirefox.exe

pid	process
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
3760	firefox.exe
3760	firefox.exe
3760	firefox.exe
3760	firefox.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

chrome.exefirefox.exe

pid	process
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
3760	firefox.exe
3760	firefox.exe
3760	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3760 firefox.exe

pid	process
3760	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1056 wrote to memory of 3380	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3380	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3340	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3856	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 3856	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4564	1056	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5c82ab58,0x7fff5c82ab68,0x7fff5c82ab78
2⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:2
2⤵
PID:3340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:8
2⤵
PID:3856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2116 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:8
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:1
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:1
2⤵
PID:4368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:8
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:8
2⤵
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5112 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:1
2⤵
PID:3224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3996 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:1
2⤵
PID:1648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3064 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:1
2⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4680 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:1
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3996 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:1
2⤵
PID:3368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4340 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:1
2⤵
PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3372 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:1
2⤵
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3376 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:1
2⤵
PID:788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4876 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:1
2⤵
PID:1972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:8
2⤵
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:8
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 --field-trial-handle=1824,i,4693996324327958040,9809258600691285898,131072 /prefetch:8
2⤵
PID:1108

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1424

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3824

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1928

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3760.0.1530404137\1940427302" -parentBuildID 20230214051806 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12a6e4a1-4256-4394-a096-530f81e9cbd3} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" 1828 1d96291fa58 gpu
3⤵
PID:2064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3760.1.2099716134\1428350194" -parentBuildID 20230214051806 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07f9cf2c-94a0-49dc-b3c0-e32f142eb556} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" 2352 1d94e58ae58 socket
3⤵
- Checks processor information in registry
PID:1780

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3760.2.1021273601\536861931" -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 2968 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a3ed1e7-d507-4c4a-a99c-91f6b995bc26} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" 2984 1d9654f9858 tab
3⤵
PID:1176

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3760.3.2109392905\718780628" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b995a3c-9a01-4c20-bc6e-89241242c149} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" 3580 1d94e57ae58 tab
3⤵
PID:2004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3760.4.278072027\1287865931" -childID 3 -isForBrowser -prefsHandle 5100 -prefMapHandle 5092 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50857ba5-858d-4a7c-8b44-f22b72013542} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" 5068 1d96ada6b58 tab
3⤵
PID:1388

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3760.5.1331793180\21682651" -childID 4 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {370e81f3-f668-4ddc-b8aa-33aa07aeda1c} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" 5164 1d96ada6858 tab
3⤵
PID:3876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3760.6.48189105\1498203483" -childID 5 -isForBrowser -prefsHandle 5384 -prefMapHandle 5388 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdccd25b-0c62-4cf2-985a-a8000b26dda3} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" 5372 1d96ada3558 tab
3⤵
PID:3584

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\ResolveStep.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
810B

MD5
d575ecea7ca162acb135b47929ec1bce

SHA1
72c75910678d9f829a736edb8b052649e1f24971

SHA256
b6bb5f8a03bf1ee5ecdc7d5667e0f62c85a152da17dcc0c9399e2d4eb4567afd

SHA512
82783424290ee36cbc44762ce97826dcf8669551ea965398b9ec43f5ff81e43fefabb88af6d1cc3b66a7f7334a17da935be23ca7417dc7145248d9d6e1282933

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
64efb842d4818e53ebbcdbe9519bfdd5

SHA1
637b1fbeb091a154297b9e6998da7a13b3cbda13

SHA256
8ff07cf754a9770601402809df169da7d0134cd55df3b9198b0bd88da528c92a

SHA512
930a8c0c18d972b5d50f8b8a3e51b04df18b0847ce7a5930673a394127a91a7ecb5b9b1ce6da5a2b9ad36febe5cd1a16049e768a54ccd67a4c51e95bc601c65f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c4e2deb7e7f03f163fac47ca519778df

SHA1
0e3e4dc42e7ca40b36120e693521b1ea3a6560db

SHA256
a225a811657bd05bbc4463d9167d761d78309de13a92dd2fb3237594345353ea

SHA512
a0884b9acd08ef74d86f2831c91dfbfedd7efd0714867086065e697d87aa4b1c7ccdd7cfc173568afb1da2f1a2a7fd3a117c3a3ff2c568cc396751ecd527d69b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
41953dc7202de43b23f8af2153954a5e

SHA1
aa86e73a104af64bf2d6042f44486fa9734dd324

SHA256
45f4f87b4aecc9a5048e252e95e20c327602a2bc625aaf6c67c32479281929f8

SHA512
2ed63e44347eaae49ed897ec8dff16ab33bd667fb7226371cb909a3ed03edde8113846863212829669e74d26598024a968fb83b1a4f121975e67ee9cf920f180

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
3160d59286eb104245e321d7057f9331

SHA1
6281b58e95fedb6744496548d2d0844a7211f5ba

SHA256
9f2c5c330023f728c2b31a9c70867b5b42475226bc3a6a247391cec6d075752a

SHA512
dea9dccaa40ffce7fa8ae8aa127eee8e47d65df71ce61590c90c6fcbb1e74fde79e72918838d1364f924d717c720ad1b9a7a53019cb0f8ded3e0abf502b896dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
36e524385841c41e665f092e4ae3d605

SHA1
47e037b8aa888487974872725138844cad35064e

SHA256
5082313dd14add5af4b1ce2c85d57eb1d1bde27e9523fae7036f5a2ab09343de

SHA512
a71fa48d330b6e0de5a01b69e6e2c291d27ce1cd2d1a2853b1e1e6d7cb51faafd01e83ed2a820a96e1127d032ad98fe822722765419ece536c50f89ba6417205

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
27e18911c6e3fa1fefb5c450ae31d927

SHA1
22a3ded32a4ba6bd3a4eec330f5d5215f1b3aa09

SHA256
f9359f052c5f9087aeb5028da664b43450ab50b14b97ac1f5d7864ab666dba0d

SHA512
f65f472eef22db57cb9d2ac67f37be6568ccb33618ba67887cf41e5399b728c6537b32ab94a132412165b23cef4595f1121426613fc7263ed1bf664f8bc4f9bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
91e24df31b0ea87d69fa07d9cad48e4e

SHA1
92bee19d09c33bf1bd1539e410717ce237556f38

SHA256
f897214ab4dec73e0609654b03259e3675fb20e3ef4e71625e92727b46eb587f

SHA512
4bca32fafcd7f78efb678a6802bbd31362e3fa52401e5eec32ee1019cc526010d7ca875097643a9cf065370921c29706a389ee9f47bc64175fa439fb15157751

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
095529b665b19f1fc3eacb989e480b52

SHA1
c099a86370627392d41f8376d87edd3a1d78468f

SHA256
d1a7f651858a37002cce5e38a3d844366bbfae8a48d4d7c05dce0b37546c96b1

SHA512
c4e51cc3881d63226cc0752aed685c4537782d6df9652f214ca47c5980018035f39b8b4aaf539ee049652b3f34d93aebab3b0c02ba7c9140a60abef746192de1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\activity-stream.discovery_stream.json.tmp
Filesize
26KB

MD5
ec7f12f05f8c1344cdb344c32e48cfa4

SHA1
da37a1da62feb108410401b3de644f8f40fd75aa

SHA256
9e23c348b605e8e9ca46906bf9df5103bb165f2240f70c4a9230a98ff6cd1530

SHA512
1e3474a97570c3001e3c3751378a50121d31b2f2d1d48b305ba6ca22c1271f915ea56b2e64a99bf3fcf4d1ffe2321cf44d5fd867a1accf75be7edf8b81ef721d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.js
Filesize
7KB

MD5
83175dd28cc227359b918a2de37aace5

SHA1
e91d2f2a270b79bb2235cb1637450105d88d42f6

SHA256
b1d64bb6d49162cde31f0263bf46d00698b516cc7a5ac5515da4873c4e756c03

SHA512
bdeb516a7afb912cccc3fb669691c8061519300dbbc1ed56c46ee7ecebe4989ebd5bda823f37be5d6243216be5917261522c0e018b98026e54710e115a53effc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore.jsonlz4
Filesize
988B

MD5
1ebb84479cf6a8932be80d8e7041e150

SHA1
7dfc26c19762cd78dcb4df270fc8853d53d9aa00

SHA256
a5c70e2b89f67c9b45bab5f4f2f8e685e1e1d1b86200a160c1175c84b51f0b72

SHA512
52b4a19b3b3cf4ee3e4bb18e85918a3ab31b13002cc548b486b330205e65ad1c2fdf3e478d0bfa5c6602c6600af65763005a8dd98ee27a7662a546d367f9477c

Download Submit
\??\pipe\crashpad_1056_IQYYYLBYKFPPUYBU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit