hxxps://github[.]com/Endermanch/MalwareDatabase

max time kernel
123s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
52	raw.githubusercontent.com
53	raw.githubusercontent.com
50	raw.githubusercontent.com
51	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	chrome.exe
1672	chrome.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1672	chrome.exe
1672	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
3820	[email protected]
3820	[email protected]
3820	[email protected]
3820	[email protected]
3820	[email protected]
3820	[email protected]
3820	[email protected]
3820	[email protected]
3820	[email protected]
3820	[email protected]
3820	[email protected]

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe
1736	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 4424	1672	chrome.exe	81
PID 1672 wrote to memory of 4424	1672	chrome.exe	81
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 4800	1672	chrome.exe	82
PID 1672 wrote to memory of 2660	1672	chrome.exe	83
PID 1672 wrote to memory of 2660	1672	chrome.exe	83
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84
PID 1672 wrote to memory of 2020	1672	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe8dfecc40,0x7ffe8dfecc4c,0x7ffe8dfecc58
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,15640972404546081755,1808020403863441715,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,15640972404546081755,1808020403863441715,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,15640972404546081755,1808020403863441715,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2416 /prefetch:8
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,15640972404546081755,1808020403863441715,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,15640972404546081755,1808020403863441715,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4584,i,15640972404546081755,1808020403863441715,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4976,i,15640972404546081755,1808020403863441715,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4880,i,15640972404546081755,1808020403863441715,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4864,i,15640972404546081755,1808020403863441715,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:2936

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\Temp1_CookieClickerHack.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_CookieClickerHack.zip\[email protected]"
1⤵
- Suspicious use of FindShellTrayWindow
PID:3820

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:1736

C:\Users\Admin\AppData\Local\Temp\Temp1_FakeWindowsUpdate.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_FakeWindowsUpdate.zip\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1f502e3c0fd13c7a106f7eaa34efeafb

SHA1
d2add8b16f6bb1ddb65eab76c6952d4106dee7f3

SHA256
8916e1346884365287b730d7a435ed70bc8628559f753b8c11b8af534c35491a

SHA512
69df6d241cb24477f2e18f950acbc37ddc2029ab014e53b90dcafcbb0e4f96788a7708afe51210b878be33bb60c33c0bc71aa7cf344e82df6343d96f1d29563f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3afe149c592f30dfa398dec630c349dd

SHA1
80240b42afad55823cc5b925a3642abdab8d88c7

SHA256
64dd1a14d74391d3e47d4f1626caa0e67696c7a35aed20bdf45c1c5c7b88ded4

SHA512
e237658a45409a78d951742d5ab0bd626472a73db1aa54f45280230fb8623fb8c73465b5283bd51fb455563cfd3cd314c23adb97d3fcbc9488670504598027d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c3130601065e862b0f30fbc3467eafe0

SHA1
fbc831bf7bcbe4e9df50468758d731adb905fc98

SHA256
be22c2458ea8a2bbfd39eb2b59765da5a7bbf56bc523ffa364f849ea5c78808c

SHA512
d9be11f325822065fa0f36c0822ad6f5cfa7ddca16fd4129eaf724a2091dcb41d529321a7754404612df48eecbb802e3c6191b788a3ab1269d2db1d49bad0f2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
43a9bd293ed0daaf8e4d0b881c67c5e9

SHA1
dd9035794bc47f8f41fa5b6af51975a2f59c0603

SHA256
0ed4505fdf8b89219de07cce090b43355bbd42155f9dd5978112a310474c619c

SHA512
1194c09a019fb4b1e53ffaf15fee24b5340171cb5790ab88a727bc36d53efb41f7815da0529a93c60e2db0592071a56efdb7e26fa0d5c398b8345aa1c8f1fd11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
15e7a0339597f9920514f321d585615a

SHA1
eb904474c83b9d2e265d7a4b5acf913dc865f174

SHA256
1bbd6048a4ff39d9bfb3f990dbe2c2ee39fc20b4dc285869be312c2bc5fba076

SHA512
013c88b94b950a175f3f2b1ff640e8fa37c6d15ce9b7c47540dc14e9e500c1e5aba8e00d41aec856cdd61a8b3af5e9a3dd09e789d9663aaa1c81f433c80b4d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3af0220d9d57b466d68053fa76ffaf48

SHA1
4ee373f778f1954426cc92181b81b9ca1e1b2d98

SHA256
69b1a406c0317a1b52cf84244ebd8f0b9570fbeca55d3a5e67ce251c9978d84a

SHA512
233a1c105831d292b7fb6edcf39ad6aca2c8229b2a9482553600310fd2c236fe1f4f7bb6999007081e7f123e07c76b355432d362569a517ef51da28f7ae5b111

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
99d8f9e0fea483451f88a22b721218f8

SHA1
e9a7fbc26ecf60b6517e1addb31920eeef691f1d

SHA256
4954494cec9b737a21778557fb2d8ab925a0d04693be1cef778743d35f4552c3

SHA512
f791284b8fdc2f7ac90c1b26469ba9ea4b0ca58f13542046e0e5e5a31d7bc8608c3e217b308e67cc32c173f809d3ca2edaf0a5d9e99192fcedec4f9d8c8db52b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9b80ef793ee022c9eeec210b77a8d549

SHA1
cbc44a8cfaf62917f90da7edeeba92bc5be48336

SHA256
bb942d0c6acf0fd0ceae1bf8f9856a95f00471c518e4a967d88ab1de299c59d6

SHA512
1444d5d87e2a4d204af0432eed0252cbdcd5fd3e4a42b212bc0a5f5895d650bf3ae7c7550d239c6712e504d93806743984ed638c76076ab5d588138cfa393fc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
700968d6e37610bc61d8d63afae85621

SHA1
222ff2590df4f810ba4ce177611481273e8346ab

SHA256
d3db5d07001eece2c16246ab177fa015e96f0ed66595b470d3b75d6cd7a1f23a

SHA512
ea215cc4b0584706e431daff7486730eacac1e62579dcb840b802847b582c62da8f579c9f4c7a52b1e177d8b80ae55e52e612fd2edef97420e28c5a82f32a03d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ec727e75050dbdbdade07693574c05e9

SHA1
8fc3ecc58378566538cb0f90a2ce7fa840cb7881

SHA256
721ac0a213c21b317b3dde065e168282f25eae853768d0e12599d93ab9710fc9

SHA512
21813ce930bb23337452c54749367e3892fa61e2b6810e5369fcf695345e7ae7575f6b5db780739b621b42f7f9182a012d3b8e52b68648ff6f3c6745ccfda81e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b718729439b505568fa1176b8b47a4a4

SHA1
c862e04f5b7bb0192dafd97d7a187347a97685f6

SHA256
1a0a177b55bfc55a4203841bf2aad95508143f10a00f3637c2f18de45f8a651a

SHA512
f4130db0e05776fb64f2a4413b2582fd6ffae92508fa3ed2f72a23eb5b9b71ef7a40df292a09c35fe7d14ecae2bd9bab104d09be9cc8f49a6486f2752423b024

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6982cd49b10d2752c39db9364453978d

SHA1
9fc03b6fb1aa912b170ff02b747f4de44b096bf3

SHA256
2db8d810eddbab50dba8c101da27e53ead3db9f08ed6a4b500125e0a73cc7784

SHA512
fbf2bf2fe360edf1e2fefabe1915c253e6161e5f3ad7df3fa0b34a52611e3cc7a7a94fe3d27994e35b42188a41c670e23c5b807065ef700fe1d880b0669b9e3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
72a978658ba23684cfc2cdbfc8f234e8

SHA1
18e18b8761cb49fe99dc84f8a1121799f6df3f83

SHA256
f4486819745061707590d9f9ee082cabd917cd3356bd239bb1d8e63e551cc23d

SHA512
8cb15a91dc671ea32559e51d450a632c5187184782dd95509b5fc0fbfa82b97c897da98c830c2e2deb72244a6990ce4aa52429d521a9b8c91f32572c64502702

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
7017ee6e5d6b5b027a2a3a7fb8b3be06

SHA1
c433688ea4bf2434e3ba2e2870de993d0c0ba9be

SHA256
621fb2ed54f89370ff2991f5fd948900cc047f66c185e406bfff69bfa58ec531

SHA512
cb4ddeba084c2f9bac68f6255734c0fdc9c917cec0804584473af885ff3f2730de263b8efac8f46286e460c987e0749801b52dca9dfebf81e45e630dea26ac6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
909a3803456c46ab68b05b22df31e284

SHA1
825eb9ae6e6d751ac9d88b1a79609b5cb5155245

SHA256
da6e1d964dc54b87dd09a207417d3c1bc17ada07f18affe55874a7420f39a5a0

SHA512
ac5ee07b5453169a2d8500ba16b63bcc20a9029d39cc65ed3c82f2ea05f2c78f770dc7ab4520369962cf98046aee468d8a1515ce2ee0fdd2fee71c503b067ad9

Download Submit
C:\Users\Admin\Downloads\CookieClickerHack.zip

Filesize
20KB

MD5
a7bcca47b5413eb92250a45f86d1ab75

SHA1
915ad4c18ae188da9ab338ced6862c4efb670091

SHA256
b7f82523253c3a1f18de5c649a96132820d89274cdf7a8c5cd3f47a79e76ed39

SHA512
4a666fe25bbaf41ff217a07bdd19fd9e2f57dba228511d9ae92d3ee75adaeb952fd91d4d4472e0c73babfb86806d54ddbe3d603ae124545b89ebdf570db19d87

Download Submit
C:\Users\Admin\Downloads\FakeWindowsUpdate.zip.crdownload

Filesize
604KB

MD5
9e94a2a8c092b611420f8bfdbac7beb8

SHA1
38e21ee8cfa81fd26dabfb0923b108b54db6f409

SHA256
8f8f4fba17fdb1538ddff73763cf6bac274f2dd1fd53c4656d45f496ce690f12

SHA512
dc550716d82bbd3f44ad25f67d8d894d94e5cc1e15c996c9a6e3d9fe5fa9acfe5d2b9134736d72c4e2a72434298e6419987319242776e7bd68e0a87783c0fef4

Download Submit
memory/1736-285-0x0000024B97C20000-0x0000024B97C21000-memory.dmp

Filesize
4KB

Download
memory/1736-283-0x0000024B97C20000-0x0000024B97C21000-memory.dmp

Filesize
4KB

Download
memory/1736-275-0x0000024B97C20000-0x0000024B97C21000-memory.dmp

Filesize
4KB

Download
memory/1736-274-0x0000024B97C20000-0x0000024B97C21000-memory.dmp

Filesize
4KB

Download
memory/1736-280-0x0000024B97C20000-0x0000024B97C21000-memory.dmp

Filesize
4KB

Download
memory/1736-279-0x0000024B97C20000-0x0000024B97C21000-memory.dmp

Filesize
4KB

Download
memory/1736-284-0x0000024B97C20000-0x0000024B97C21000-memory.dmp

Filesize
4KB

Download
memory/1736-273-0x0000024B97C20000-0x0000024B97C21000-memory.dmp

Filesize
4KB

Download
memory/1736-282-0x0000024B97C20000-0x0000024B97C21000-memory.dmp

Filesize
4KB

Download
memory/1736-281-0x0000024B97C20000-0x0000024B97C21000-memory.dmp

Filesize
4KB

Download
memory/2588-327-0x0000000000CE0000-0x0000000000D9C000-memory.dmp

Filesize
752KB

Download
memory/2588-328-0x0000000005C80000-0x0000000006224000-memory.dmp

Filesize
5.6MB

Download
memory/2588-329-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/2588-330-0x0000000005930000-0x000000000593A000-memory.dmp

Filesize
40KB

Download
memory/3820-247-0x000000001B130000-0x000000001B1D6000-memory.dmp

Filesize
664KB

Download
memory/3820-286-0x00007FFE7A610000-0x00007FFE7AFB1000-memory.dmp

Filesize
9.6MB

Download
memory/3820-254-0x00007FFE7A610000-0x00007FFE7AFB1000-memory.dmp

Filesize
9.6MB

Download
memory/3820-253-0x000000001BE50000-0x000000001BE9C000-memory.dmp

Filesize
304KB

Download
memory/3820-252-0x000000001BB90000-0x000000001BB98000-memory.dmp

Filesize
32KB

Download
memory/3820-251-0x000000001BCF0000-0x000000001BD8C000-memory.dmp

Filesize
624KB

Download
memory/3820-250-0x000000001B6C0000-0x000000001BB8E000-memory.dmp

Filesize
4.8MB

Download
memory/3820-249-0x00007FFE7A610000-0x00007FFE7AFB1000-memory.dmp

Filesize
9.6MB

Download
memory/3820-248-0x00007FFE7A610000-0x00007FFE7AFB1000-memory.dmp

Filesize
9.6MB

Download
memory/3820-246-0x00007FFE7A8C5000-0x00007FFE7A8C6000-memory.dmp

Filesize
4KB

Download