hxxps://finalstepgo[.]com/uploads/il22[.]txt

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://finalstepgo.com/uploads/il22.txt

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133722170541166899"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3436	chrome.exe
3436	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3436	chrome.exe
3436	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 1528	3436	chrome.exe	82
PID 3436 wrote to memory of 1528	3436	chrome.exe	82
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 916	3436	chrome.exe	83
PID 3436 wrote to memory of 2732	3436	chrome.exe	84
PID 3436 wrote to memory of 2732	3436	chrome.exe	84
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85
PID 3436 wrote to memory of 4796	3436	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://finalstepgo.com/uploads/il22.txt
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc28c2cc40,0x7ffc28c2cc4c,0x7ffc28c2cc58
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1712,i,6666514124230443278,10720167951386754573,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1696 /prefetch:2
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1988,i,6666514124230443278,10720167951386754573,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,6666514124230443278,10720167951386754573,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2564 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,6666514124230443278,10720167951386754573,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,6666514124230443278,10720167951386754573,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4340,i,6666514124230443278,10720167951386754573,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:5104

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a01c0d1dfc0e6f7d52c611901d47f133

SHA1
196934ed22f92e09e8690395015f2f55780898a7

SHA256
1a353f5aab91cc1af2d2a77885096cc82e2cec58c454b798d33532a94788a0f5

SHA512
ca349554cdfb40ea64e965ead64aec824372c3c9a7815c14877f68072f27d25c41ba2a090dd4acfd9eec32acdbf3b33b2fd8e99278b6b4a137c70ea2bf9339f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8994504e6932b57c207da73ce777e575

SHA1
d27c13c14ff19799d0fc9e44b9a9748e6615bb1c

SHA256
a24b7835c451ae837137f55ebfca65d83939ffd021d0dc249d594f90413a5f3b

SHA512
ebe18de729cbeba2556004022fd480630f46bb4c36c4d09bf255ea0d1838b9b57ab890becf27dc35d302a0649e3eeb13630648143669fbf61e39b697a31da57a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df10aaad3d9635fbbcb4374094693a16

SHA1
8f92cec3850bf2a4d2cfc94cec6ee709014fe842

SHA256
872ea7eabef9e768ef17523e43d0923abc34a49d20296c0de4ee2673c82710d0

SHA512
6f308ccf5967c786b748d6d1a39bab56b57cb0fd247dc22031414f499042e57c1a47b2979fdc3f27158f39369014402c82bfc31447d0136f5d1d057a686c2887

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f89094a2857834702bd72d562fb10dc

SHA1
d12544c1c20a3c6c717adc51eb116560ae99572d

SHA256
d93fd7e26aabe1bfe8ae8ad1a9d37064a41f1562f81447aeb7e194261f2d1903

SHA512
30c463172c9a91de19014ead7cb33757743b2457da5e94b79ad132888771860dc146c3a6ec337bae9e4929c3cbb5604fca6a17f1e9d5261e534dddaaa79dd4b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5e7704ec86aa30d001dda4197b6a92f4

SHA1
70439c70d8f69eec36152345c496a952d280c908

SHA256
10c76e88eb3232cc2abbcda3555bc6aac5bf7d40d4417f1965beb880d4fd12fa

SHA512
5bbcdae4cea377e13af9216fead5097fa4bc70413688d4af9ebdd086540513cb10d7374a8c63fccf616149744e70e80fb8cc1635559feff104e9dad79399abe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
091d33f9facb318629bcd9b314fe248b

SHA1
1d2b1245f28f088e164739725fda851c450089c9

SHA256
d6d009e9ae424964aac09c82b7e16b482891e5b767ae478ca00a3111fd46a3fe

SHA512
340d0cc6c1fcf101118a3d0ffa7e68dbea2143678af70e128d658d073b564769a95a9ec1c8103abdfcae2ea6b0d0228da52b56888e78039a780c34f8582c0cd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d97e6f9dff622914bf665809f0fdf14d

SHA1
06eff4999edcac26de80b6c1785a91642020e939

SHA256
f5879e0b289259f58aacd0876573aef23ffc3a5d701e541ebc12d71f47eafd41

SHA512
9a4a8804ad01d3995b9bae7138276f2080671a42e8258fc02d1697da4ec8e6841e90847a8429e54deeae3113c14df2157b7b9f6616eb29184ab5ab5ab94db529

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b262f11966b451dd57534ec9904680c0

SHA1
e5c80b323e488290b2f4786b9e3ec5bb93901f55

SHA256
38175849ad29db6fa028934449e83dc230bfb987baa4e4dd5cabdf771e754406

SHA512
a1a653bb3a443265c151e0505b3ecc9f8c36505d63a449ee49a8f97488fa2f94dd15b501d41ea6c0f5fbb6c5165fc91f9d2f644217625ed14a1d64355190be56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
080d26d909e9242c97714af6f49dcaa3

SHA1
eed4d7e2780a266291a812a5a1c89ee052a49a74

SHA256
c3648e1e383be88c39d411baf8e5fbba7ccf5be4dac3286892ebb19444b18cf1

SHA512
c0cdf35ed7697a3e5cb1eeb6d9f0bfc9cf36e55782c912f0843b3d1c2ea1460ebe8efbce9b02b3f751a8c28eb03571d43d48358083c4a49095f6ab5bad68681a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
b369583a64e196fba7c43647754e0833

SHA1
6688dea9c981713bf962113208df736839510f01

SHA256
b68077c7c4c1f034f10351f4a21e6e6fbaa8defba1f1a9203cb3e00a2d320eac

SHA512
ab65b898a558d2909d8a28b7bee8d221d8f94211d51bcae96cd4aa0915d9df9f9ba6700da90843855a0feeb10a3e94777e38c2db30dc6452d440a408e1e4b693

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
61f58a5cf3c0c22bb2c82ea63dedc83b

SHA1
3fa62f4af8276ae11a14c5f6bef60e9ff9be3b9e

SHA256
7ad6a15a77128e4e90ddb8a5e093daf24a4560806ca5ccec2f070144641f8a33

SHA512
ffd6df524ff490f30ceb562112ffb0d830165d7c7be7cd237015fe58fbe066c47343821b9407d35173c5580a91f6f67945798320ff11f492611a8a4efd04c57e

Download Submit