hxxps://github[.]com/mategol/PySilon-malware[.]git

Analysis

max time kernel
58s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 11:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/mategol/PySilon-malware.git

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
29	camo.githubusercontent.com
120	camo.githubusercontent.com
121	camo.githubusercontent.com
122	camo.githubusercontent.com
123	camo.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133724276886879166"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
2492	msedge.exe
2492	msedge.exe
3160	identity_helper.exe
3160	identity_helper.exe
1088	msedge.exe
1088	msedge.exe
1676	chrome.exe
1676	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2420	2492	msedge.exe	82
PID 2492 wrote to memory of 2420	2492	msedge.exe	82
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 1216	2492	msedge.exe	83
PID 2492 wrote to memory of 4480	2492	msedge.exe	84
PID 2492 wrote to memory of 4480	2492	msedge.exe	84
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85
PID 2492 wrote to memory of 4000	2492	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/mategol/PySilon-malware.git
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85f8b46f8,0x7ff85f8b4708,0x7ff85f8b4718
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,10233255670097591338,4634721750995381504,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,10233255670097591338,4634721750995381504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,10233255670097591338,4634721750995381504,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10233255670097591338,4634721750995381504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10233255670097591338,4634721750995381504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,10233255670097591338,4634721750995381504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,10233255670097591338,4634721750995381504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,10233255670097591338,4634721750995381504,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10233255670097591338,4634721750995381504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,10233255670097591338,4634721750995381504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10233255670097591338,4634721750995381504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1764 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10233255670097591338,4634721750995381504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10233255670097591338,4634721750995381504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10233255670097591338,4634721750995381504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:5340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff84ce3cc40,0x7ff84ce3cc4c,0x7ff84ce3cc58
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,15802230507900248595,4143077227718287997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,15802230507900248595,4143077227718287997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,15802230507900248595,4143077227718287997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,15802230507900248595,4143077227718287997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,15802230507900248595,4143077227718287997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,15802230507900248595,4143077227718287997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,15802230507900248595,4143077227718287997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:5452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3872,i,15802230507900248595,4143077227718287997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,15802230507900248595,4143077227718287997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,15802230507900248595,4143077227718287997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:5584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4964,i,15802230507900248595,4143077227718287997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:5912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,15802230507900248595,4143077227718287997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:5968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4404,i,15802230507900248595,4143077227718287997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4060,i,15802230507900248595,4143077227718287997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4540 /prefetch:8
  2⤵
  PID:5384

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b6f538bf17ad03c0c63f7696aa7ceb46

SHA1
eb3c1d416308033cc112a048c5e5972680e94040

SHA256
258291fafd33034582bdb1a4985cf66e6f20aa9d6fe58e1517b7ac95cf80b767

SHA512
cabe1aeb226f22217f7faa970678219bd067645119eaa675adaf5f4ea8902d620ea12d036383be1bcc280e40b736750a0ed6d997663901228745a97fcf963dbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d0b82aa280a5a5314378f05748a288c0

SHA1
bdb1280d6d69615e555b905b16658b31574b7bab

SHA256
968b6a90cc652676a9aa2588d202307cf02a61c85928501a7c7175a26bd53416

SHA512
63fc8ae7b6b805e99da275a5a3ed501a36e2413c6858e350f86cd463123fd3600dec864530310fdd909409d42d6f92b8da7449dd58a2a804357cfefc0526671d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a0ab5c28da5adbd558f2803d2828c01e

SHA1
3d70671b866bcae4975a247acd387d25a1d85e01

SHA256
f6d0da80708403f0e3507eef3e8775b815403f40bfaaba1a434e32a322b70510

SHA512
a37ec8f8c45f4792a51cd788790c9b010d5ce2f0891972e46fa5a1aa7c2017fe4c128971e601b10c66c644b1523b708d14906670747ce9f9a8d7d06496958d74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a988545bcb7452d306ad334a90e92597

SHA1
2812b9e6d1b1a0b76f89654982ecc37e1663a97f

SHA256
7b1f67b704d950c99423238c51856a0036dd0782dad78cbdcaf202576b6801db

SHA512
c0debd6d5fac99054facd72b9cccd4fe1323ca70fad3bd82ec9b39d86a9d15fb5b4e24cd1aea13fdbb2fb083a7f8560e8b75009d1232a639beae8db5cb64875b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8d7abe0617a3983be5ee64e21eeeacb3

SHA1
5853cbb05518db229c156cba57aad2210a6ab449

SHA256
6ec5c7eefa8a9c7a12b4e7d2b1957859a425d984af0603230e4a7797fe18daf0

SHA512
9a95fa5baa0c9d36197d0bf68b20fad9953806bc307cac8cdf866111bf7fd1f12d35218c3eec4a315862140af2cf0fc3b7637326f3acce114770e37562f31e40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
57d63c7072d157a786b567720900735f

SHA1
35b0c32b46a4fea4ae9f8ea77e7d476f279090b5

SHA256
06856330ce390dae31e4d510cca308520b1ccc1bec3c999778a61dec0bf00a87

SHA512
9839f263a8045c17341a9d040bc303610eff9c3575c967d0497ed2aaa4da75583b243b70d14da687225b858f8218f0a2a9e1ac1abcd54acd0034fcc184f748ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f2fda9af21f49832efb611b645f835d7

SHA1
319090dda2f12be6815fefb1bb1e8a6e89e3ab5b

SHA256
69a5b6b861676ae1ec5e3693b3d6ecbdcfaf17cecfd9d6db8d211b027b71ba3a

SHA512
74bc184c75491782090c1e30db0ac3c0a6dfab750c96b23dcead7ab94c30f058a91c91fe05f71f4c9c8c90bf703c9f1354d9fe4e3ea68c6eedbade997e1b8c64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c9f9ffdfd11fa2e6e820fa8b9f6d5358

SHA1
a13205287775d0d83195248aa4be1e35ee78dc44

SHA256
c8f2add017d7c7859d34b0c51c2a183105efc9fc32c1dc3eff60829c9739b7f4

SHA512
954304ff066e48c2017a6637e3e74bf22cddd57343e1104535fe1db12ea67cad6d919f494c62881f99df558fa76efe19a49e6fe62d4ac6eeda83682333a5f1e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
c6a0200bf3d0831f60d1f9071a413a60

SHA1
5b8d57ca5b8ab8076835a79a6c3b506571464c33

SHA256
7b5af608e6af6878546192d2a871864cc0006c1932e221c7ed9d24a08027afbc

SHA512
7a07c0b0c377ed516bf2fca75b0091a5e8c4ec736f629a0e72aad600e62e9ffaab2c0d90866d5c66179f8b71b2ebe4b4d7bbaf43a9deb8094dcdba5e9c9d732c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
8bec4f02bf750ee846c7d1599b2c14e9

SHA1
280bd6ddf3c64091d24edbf448602384ee36ab6f

SHA256
11f8b2f177acfe61f182b1b386ef67696e7eb4b2d5f6e48e837b8e81447eafe1

SHA512
9ad943e8c005134d90167f289b996760c12d48a14666466b2b972066896edf998ec07a74564bd6cb173b7a0dcdb3f70b3fb9af24ac24215e06504c1703a47ee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2dd92af62331d887b8b4c27da76eb339

SHA1
c13ddcc47b74eab3e615c8fe09dbdcf8295a2c1a

SHA256
0951714b81fa0be4954d6e6f7ee9f4e0b360fe8f5c9f001200b9b07724ea0d68

SHA512
45b1fe2f80578f9b8c5939df85f0badb461f7c2c496105a4716d8c332a750457dfc74ed49d8fbda3952efea16a2c0eae9ade9e8c6dee7eabfa6a806ef3aa5a3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
412604f6f3e224ed828f2adcc5ba7c04

SHA1
a5cd522910e24697443d8b5ae11dea8dac8907f1

SHA256
3baaaefb4eebf40ae5dd2bfdef9d385848ec6b73bdaf0a0e6f455bc95f736284

SHA512
eba68793df0f16612dcdd17d7230efd5e063aefec7b7174f198e9acb2c0dde9dcdeeca1a91db713381032f4f39cbb828fa830d0d45ca4c1a1591a51c339b46d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa4e7a4d2efbe16675433b03ab06c51c

SHA1
6dee2b350afedc95234eaa4c82c7c76d1c738452

SHA256
654ad343383b826ceae2f9f5012e0784f9820c9ca0bb29626ee7106f0df74e8b

SHA512
774e91e35a53c1a0767794bf94e0722ce56ac4ce54df1bb6c987124c9cc93e7de24cb8796bd1ba55a4275f56af6a9f44dc1069b4c84f448bd259046306cf7e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d5927f74d583ee3121046c287cb4266b

SHA1
2811e9f2395323650316f36526b126309434b5b4

SHA256
7962950d3c8b2ec898b0553366f3ba5436bd5b77a0ee47be6d1ac7992cfe8006

SHA512
b62739aab0da1e6224c25c8b51854baf0bc7397f691ba0f314b46db364a0081edd592e911fee97c2225b0a24f398427e11242e3f511298b66449da32780b02b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ef13.TMP

Filesize
1KB

MD5
044dbfe3ce83243adc8d808f8f0b5ea0

SHA1
23082c4610c7580685d0794b9cebefcc96e21ac9

SHA256
b1d6c959bd5e9970f1512fa3f7a1a7138ea08b5d4a8e40e2d1747041132176d5

SHA512
24e565046a9d33e763e1fe4c2c9f76c3b31a16112a6a5c4ae8fa78f0d0b67813f977fbc177cda3f84c2e36e495e5b50e0d627c4efa5a4c752792a5a321bf6bd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3918ccd47e43c6598dfdfaa755fced79

SHA1
485debcb742f758b9c0da7d4db1046529af97deb

SHA256
4d33c9ada78114fbc5df6eec08ea04ecfea8cf6c852610233ae033585496da4b

SHA512
677bc8105e45ea6217d24e5f850bc8747bc4816283c7e968bfe4144129f4ed9fe4bd8c74cfa260b252bda24f84b02cbfbb5b5ced4a0dcafc9883f969dad886f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
716b71b830e357adfdf60a81da46014b

SHA1
280176827e517f36784ed07f115e27eaf881d4b8

SHA256
0f5c8f869097203a2874668b2e5aa15d8c4f978edf0546d5bee4f6fd3ae6faff

SHA512
9cf77e3b00f5f6faa39c201cc986dd2b2d9113eb3dab0ce79ec3e61d231ceb306d594c3e724f54cb218e2c1f6dc59b8ee87c54ef27babd787fc4e61facbe8c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
763d59783fdfb077cda82ef209bf4723

SHA1
48fd12f05b35918d1c432bed195d44d34019392e

SHA256
998f73dd0a81e0a533012aa14f152d56d7f16ec5b60d153be06fda0f435b8e4b

SHA512
f76f21d186c02223ab54275228d37dab5505f785d519274f0cf7ce7ab98c4318b3232e48689e8bdc7b7e9ca0dfd5cf9045b53e680a7c3aff3c72ab45692bb05e

Download Submit
C:\Users\Admin\Downloads\PySilon-malware-main.zip

Filesize
2.0MB

MD5
4dd99d359a4113d284bb4f8315a96e2a

SHA1
4cb3a11eac95e4716ec722dae0f02510255dfa14

SHA256
a9ccafa9381d1c3efb451eab4bdc476e113560d155587957dc78c7c86a8c8754

SHA512
468f2b55578ce2e4f39e06d4ae559f13f73dbd3ddecdf00c13e28a417275552b55f4050d0d41ca66074478ece36a9a2b6b4b117b59563556200025bd012b7d51

Download Submit