hxxp://free[.]webcompanion[.]com

Analysis

max time kernel
73s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://free.webcompanion.com

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4328	chrome.exe
4328	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe
Token: SeShutdownPrivilege	4328	chrome.exe
Token: SeCreatePagefilePrivilege	4328	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 3508	4328	chrome.exe	81
PID 4328 wrote to memory of 3508	4328	chrome.exe	81
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 1560	4328	chrome.exe	83
PID 4328 wrote to memory of 4300	4328	chrome.exe	84
PID 4328 wrote to memory of 4300	4328	chrome.exe	84
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85
PID 4328 wrote to memory of 4836	4328	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://free.webcompanion.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff6fbacc40,0x7fff6fbacc4c,0x7fff6fbacc58
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,8956175914048574732,12851585076781757560,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,8956175914048574732,12851585076781757560,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2028 /prefetch:3
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,8956175914048574732,12851585076781757560,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2448 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3028,i,8956175914048574732,12851585076781757560,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3060 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3032,i,8956175914048574732,12851585076781757560,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3736,i,8956175914048574732,12851585076781757560,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3368,i,8956175914048574732,12851585076781757560,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3344 /prefetch:8
  2⤵
  PID:1108

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
168bf4b4fdd0e87166e2b6a66eea1808

SHA1
1a920480ddef9844ac557cc2521fe7e2b7e7606c

SHA256
17aa25f25d71f9deb5d35fa13f4129b25568ac0c43b8590f0d648b363a4b36cf

SHA512
e23482925c9fc3f9e5ac7bd81303dc070589fac084e666da148e34df1d755b49878c9eca9d11c535693bd76800b55cbb440b703d38d831871e8dfef75f8682bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
1bc615e2166290bae1807b625a425bfa

SHA1
9fe2f0c83cc5ed3e9afe011d694ad2b03b74b291

SHA256
7364a1ee60d96565f350bfcca20a917e897a85873c127a9095e7fcd31e97e41f

SHA512
4572dfe2ff841c8b9d2a4f0aa409c610d0825d33f18cc1d217ec379af4dc238aa07e22df5f689b31efdec7bdb482c54b6bfcbc7b80fa6d4deaa20701163fe793

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f4aac7245d32fb9f8d5c488975a58343

SHA1
52b4b083b5332d83c743eae846e91510464e08bc

SHA256
abe1c4c23afc81678deeea32a25aa12478bbe78ecfee0cde6fd91e1cc00681d4

SHA512
dcca79ac6e5279248e0daea00428a0b95ae4ca0d9ffcd703eda832b05a3c6933062438012cc098f3f4533efb94bed1b4625a8aaec186fd3abd20aee5d88295f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
08f825472a9a7726863b192672918ba4

SHA1
9c778929fddacd2ca90a3d9618a41d7468a62bad

SHA256
1705b33eb627a5f4ed0238480ecd098407dbb9e9b966bff5f94661eacc787e86

SHA512
ccd52d1c5b09cbdfc6864761041b4c34d368e46f3d0178c248248779002eb74219fd64df69f42fbd73f44d2a01c846cd9fbceb079f0a15729cd3e3c6975988d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6c0ae8b5fdc936a110d75a9f81c01277

SHA1
850f2300db1743d6d5fb97f5734d305557137b28

SHA256
6d789116b8aaa1ee4d6f3bc45c9723ea30f653e211a0fc19d81afe5f6c945162

SHA512
a6217f82db22ecdede37b4835955ce209ea0a03c3619c9e22ac26df8c06a65b7abb06178bf0acd69bdc5cf14d6cd6201dc163ebd9d4f34fa79e219e9a6ff87a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
325cf6a2dd02a803557eb2427f16769f

SHA1
293d73b3b374ca76b1c65d486e708880502086f3

SHA256
710f22e83714723b619c1cbaa0ec35bce47fa4a89bb84dfd1e90ffb7093ecbda

SHA512
86cc43f8218401f8e64b14fa8d62a6389423e56a7e48c074dc704f892569e64da4631cc52778771f6a095bc6ca0d92edc32681347da6fdc9189feb1522e2d900

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
42cfcb09a815974690c50cfc128781e9

SHA1
7275717a20eb7ff4cb7a227f987e8b5da6f3b6e3

SHA256
21f1835fb05b0c53103444260ae4155a228ac7bdcb1c51d38095723d0f989be9

SHA512
7c56c759867ff1bfb84bcfa79aef8bee66c4f546a923e61cc1dbd5ec7ea18bc538aa751f11417116a7f8abb6d6b261d2622a89f8aac05a21836baaecf3bc3783

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1593ccd7377c31270106c15bbcff3666

SHA1
2a03bb71d6686eade28f34aed047902335d1f4f6

SHA256
7ce368d1793a74bb0c43dafe4ce26855c347e8d08df477c1b7c715f1035fa594

SHA512
1820764385e892328fd06011ed2ae7a8737163fff08aaebf923288b88f6b865316200d3f65ec309ac752f914787b688631617872d346d1432f96f9cd3a590146

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
023be6b46983d70f246025e229951532

SHA1
d38564deb038bb9f6c4c285db897f6a0cfb59803

SHA256
d6d9924ee46e18c2c5802e66dd55334a130c14c64287d273eae190aa2faa5a22

SHA512
03908a21e3d9f171ac9947c7bc23f3cfc36c47dcd8aa00f4bd65b136ff08f8e8be115d66dce88c4fe462fb8c7cc1b62db9996f20a4e5283189d98a11583b0ac3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
4d1f20d2ccd59860f8f65b60766ae87f

SHA1
8a66f8787531133c09eb974a8d6d312711733b29

SHA256
038a3a1316dfb795aa275d65ab5bbbd39d0982e26a3371edea580c9d615ad97f

SHA512
08795e50765bd435f9891eb8e82321636fa8fc55d24ad02404b70c1307db8be59f5b63bd1580d1e9f56869ad1a1f399de6d2282d8e9c0dc1b75a534e1bf0af24

Download Submit