hxxps://github[.]com/Endermanch

max time kernel
83s
max time network
88s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
03/10/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
16	camo.githubusercontent.com
22	raw.githubusercontent.com
40	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	[email protected]

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133724634087963437"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
2540	[email protected]
1604	[email protected]
2540	[email protected]
1604	[email protected]
752	[email protected]
4944	[email protected]
752	[email protected]
4944	[email protected]
2468	[email protected]
2468	[email protected]
1604	[email protected]
1604	[email protected]
2540	[email protected]
2540	[email protected]
4944	[email protected]
4944	[email protected]
752	[email protected]
752	[email protected]
2468	[email protected]
2468	[email protected]
752	[email protected]
752	[email protected]
4944	[email protected]
4944	[email protected]
2540	[email protected]
2540	[email protected]
1604	[email protected]
1604	[email protected]
2468	[email protected]
2468	[email protected]
1604	[email protected]
1604	[email protected]
2540	[email protected]
2540	[email protected]
752	[email protected]
752	[email protected]
4944	[email protected]
4944	[email protected]
2468	[email protected]
2468	[email protected]
752	[email protected]
752	[email protected]
4944	[email protected]
4944	[email protected]
2540	[email protected]
2540	[email protected]
1604	[email protected]
1604	[email protected]
1604	[email protected]
1604	[email protected]
2540	[email protected]
4944	[email protected]
2540	[email protected]
4944	[email protected]
752	[email protected]
2468	[email protected]
752	[email protected]
2468	[email protected]
752	[email protected]
4944	[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe
3540	taskmgr.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
4652	[email protected]
1604	[email protected]
2540	[email protected]
2468	[email protected]
4944	[email protected]
752	[email protected]
3828	[email protected]
752	[email protected]
4944	[email protected]
2540	[email protected]
1604	[email protected]
2540	[email protected]
4944	[email protected]
752	[email protected]
1604	[email protected]
752	[email protected]
2540	[email protected]
4944	[email protected]
1604	[email protected]
4944	[email protected]
752	[email protected]
1604	[email protected]
2540	[email protected]
1604	[email protected]
752	[email protected]
2540	[email protected]
4944	[email protected]
752	[email protected]
1604	[email protected]
2540	[email protected]
4944	[email protected]
1604	[email protected]
4944	[email protected]
2540	[email protected]
752	[email protected]
1604	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 4568	4728	chrome.exe	71
PID 4728 wrote to memory of 4568	4728	chrome.exe	71
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 3292	4728	chrome.exe	73
PID 4728 wrote to memory of 1612	4728	chrome.exe	74
PID 4728 wrote to memory of 1612	4728	chrome.exe	74
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75
PID 4728 wrote to memory of 2324	4728	chrome.exe	75

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffcb8cb9758,0x7ffcb8cb9768,0x7ffcb8cb9778
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1820,i,3175198542304361236,7308097789957742025,131072 /prefetch:2
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=1820,i,3175198542304361236,7308097789957742025,131072 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1820,i,3175198542304361236,7308097789957742025,131072 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1820,i,3175198542304361236,7308097789957742025,131072 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1820,i,3175198542304361236,7308097789957742025,131072 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1820,i,3175198542304361236,7308097789957742025,131072 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1820,i,3175198542304361236,7308097789957742025,131072 /prefetch:8
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1820,i,3175198542304361236,7308097789957742025,131072 /prefetch:8
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1820,i,3175198542304361236,7308097789957742025,131072 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1820,i,3175198542304361236,7308097789957742025,131072 /prefetch:8
  2⤵
  PID:2316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:404

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4652
- C:\Users\Admin\Desktop\[email protected]
  "C:\Users\Admin\Desktop\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1604
- C:\Users\Admin\Desktop\[email protected]
  "C:\Users\Admin\Desktop\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2540
- C:\Users\Admin\Desktop\[email protected]
  "C:\Users\Admin\Desktop\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2468
- C:\Users\Admin\Desktop\[email protected]
  "C:\Users\Admin\Desktop\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4944
- C:\Users\Admin\Desktop\[email protected]
  "C:\Users\Admin\Desktop\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:752
- C:\Users\Admin\Desktop\[email protected]
  "C:\Users\Admin\Desktop\[email protected]" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3828
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1864

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e1ba3592fcfa34a7f1acb17dd62d767f

SHA1
594c3934167b2493c1f6feb6a45cb4e599645b10

SHA256
70c90983554d787e269bb7a53ca0ee9e000ab34a00c99ba81160eda584f5a602

SHA512
c493e9b6bff6aa70d0b645b41e7050864d4271e5cc4d823bc4e73c5e4d1b9e33a1dc0ae41ea0b08bdf798fe8b5c22f40e0e29dbd186a051993d0a3ed4b497f85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
431d2f9d545762db0061cb5e74f96826

SHA1
1c134b228d30a2303adb37dd39dbff0988ad83e2

SHA256
25c55323def2d4d8bd10e53e74fa3524d54e9ed0809966e03bc7568099c0e622

SHA512
3da3a7d956a77780a1378d038bf218751f9d9d56fde7a0ecad3560f3f58cd6d53596618d108bd58a0f4c85854db7ef60fcd4e68786759a6bfa7bafc31d97cea2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
873B

MD5
c085066676d599e89459f6a32440e011

SHA1
17383bf0535bc4ef7db298a3caf101b195a3ef87

SHA256
fafe8858c63f3e53738398c166a60e69a5d7bce6e57c57736905d1b67c45a849

SHA512
a14901a8842a9b3071ed624ed24580f1965c7aa84dc098624522dc9f264be36c17c01a0e1dbe3933b8ba7f11d71adc83ca96e591921c2aebeec13fc1de09591a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5a1d03c0f89a5b086b612ee0c343b28b

SHA1
ed276292e3833d33cdb6422deaaef5f2a83f304e

SHA256
6bfe5f023839c0b14f8ff9390f22f9c472c33b8399bb57d30fbc932ff3ea713b

SHA512
66f25409e13a3dc44856d3f80ee8bf7598e4668194fb0b96e53ba45579204f000e41a5c70d410e97407361f7097d720cf8c86a5e2e2d583385b06a393c03a27a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4474b5886229fa8bf9e6dbda2503de1f

SHA1
68265a299a9d75610a974cdda3a4bdc5ff4464e1

SHA256
cb457ffe783268132c2fb214a1cdd0d0f314298dc1bf9d38b7847d82b96a0322

SHA512
cc3464d01111135e6f92e10ff3be1d9cafb0494fdea992700788dc1d47c2b7f49a73f01b76283ae6bc0c8c731c50c083d5b1f17668724eabf05de36b68ada355

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0caabefb9218a19a9a95cd013162f8b2

SHA1
b4e8307d70523ac1d10e9a89538d6c01d54b8870

SHA256
b2b7dd4a9a3e7716d014818f7a9ec6a4c0169dedf8059f2af580bbf5bc3ac6da

SHA512
c67c7f8f565a05ef1d0ed89cdb91d514943bf38eccdff2926e6afec122a6349902bdbbddfa80c7721d5e999d0d103586595515ab47de530586cc25c323389d32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bcce2f4b65ddc56f44a8f680dafbf800

SHA1
bd82a704287946c3f6ae4e5f539b23e863e065b2

SHA256
e45a69fb1d3e1352926e66081ef8ccfd6127694ec098b11dbf469c14407fe92e

SHA512
7cafc955f561b65e7d619367367d598868a202da67824be37c22893006c1f3a16b4bf6adaf86bcf2e0740f5b0ed0a4922e5119a326937d38c91697314128dfa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c0fefe5e-a5c8-48d7-aefb-438d100f54e9.tmp

Filesize
1KB

MD5
d77f283351c258263634bd8c7102f0d8

SHA1
2f9b9e6be11fa3aba20b9656020a330c1ac03fe4

SHA256
91117b06ca09fbd081a9a5cad46179ab362217055b12538ad3ecd2c21ac1aecd

SHA512
190c4c1bfe907007d92af55175fca6520bc5b5e2cd9bd00b5f9dd8b40ba1874ec9daf47e10215fc0061187861fb4610a5493c12db0f92453a7b6e042ea247321

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
716f3b3d8339dce0c3314eac85ebc097

SHA1
2505371ea77d92d5b643d34b275ec4982aade296

SHA256
02c4cfabdcfb09f1bfae2c9e9e1932708723ab8a782bee8e23ba27eade3d8a4d

SHA512
b3d525f04b32b50fa7a6d643157f4a2c775c4c7cc6b88ef5eed56496a3238de031d822a7af5bb8e8818101531c9601dba46052ae6bc1194602b59b4bcb4de6eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
abe35e663dd685b8704e11e83697e718

SHA1
eee10330e71dade74f59ba60d4e7429f5cf39c55

SHA256
fd5db5c93e3a25d7a96780e825f60c16c1ce6faafadd5ca421bf7b19952bcc72

SHA512
978dbd3a8c3c260e34bf83d329ac3b954fd2a43b57593417dcb7726b07e35841618aabd51e5c99b277b754047d37c89a0cd8c9e2815fad73c40e4711f954334b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
94021b7688580ca05589cc31ef6b5366

SHA1
9b0ff6df6dd2cf1529abb64a9a74e0bd7e31a8f4

SHA256
4ce5623c8381cdaa499b4b22794df3db8abbf8cdb864971882042c98dd791973

SHA512
771096704c8e7fe19866d3bf1621c28bf5184c049d91717646c15cce1101aee64491d1d4feca395d06da968472f7e1a143c3606ffd6d60ade804fe9d602d9c35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b8b8347a17fae826e91068715ca7dcda

SHA1
4ad2f7cb467fb9bbc0ba17e25135f19beb542d70

SHA256
6bedeff65d993f6b431d5d36a86268548b7ef33947997354197c21b9ef354c5d

SHA512
8c52b1780c9e6920cbf78fb9d638925b2a853cfba14158c074b668bd5035de68e981970d61a06b0be525fb42ae99f61f5f024cb3c3d5ad7670c461d835f94e2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7a76057dcf2992550e121c4825d3dd94

SHA1
4cf0f72bfa841ead4cd7a602a80dff28014e232d

SHA256
990598167d3cce298be3bae2095be1793d2cda652937651e0fba31b77fc09b9f

SHA512
cdd7eb5bf0a80a3a4cd9f183ceb99e53d8aca91304a9a7d4d279b9da190747db594035022d2b748e32be73c6a54c230520abb7fa45ecceb423b1aeadfc5acd5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
7e8e7f998a39ead36ef869d396924ef1

SHA1
85b953ffe657206033e7d9659360b51ca7275e34

SHA256
9e8f55e91316f68d4dd61d833d7b0089c5532044bae3f8179e004b7bab5f8ae2

SHA512
fc73bd16b82df85bfb1e7aa9f6b401933d148aa65b8bb6b08de0e305d967b60777c2b79b4748726621a7c36abdf878215787ee4bbfc639e52618b606eeb62a19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
0b4923d96e39e5fdc25a912e431e26fe

SHA1
941e625291ee06eb18c9b541dbbc7da20659bde1

SHA256
8ce64aad8880c90db4b2293d87ba378c7010131fb629f6d6474e4b8924925b4d

SHA512
e329dc76a665f453df2f41e98159ef3ffadf06497e1c07c0eaaa0b5ad7a4e7faca10d688271ca56db16bd10ad40fe4966aff1fe64d39b1983806b1158fafa78c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
94419cf70763fe3a2560712a7c41eeb0

SHA1
5e66e267fbf1655d0137a9819e671056b30a2c36

SHA256
065ee064ecb56391274ef0761eb87dddea96cb647d2928f18cdcc69cec0dd4e2

SHA512
3b637478455ce3a33ff51a11c222a68b4297a0f043d416459989710ecbea8113d36137689f25d84c1e2ef621985e4194a735b5208fcd6650bbe95ffc77d54219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
b4a9d6cce70ae644e46930087dd8fc02

SHA1
7401cb397380258d99d12f52feebab1e35471c6a

SHA256
c23d37be03499beccf94e800b5444fce3c8e8f596c3e859c68e698bbb84a5a2d

SHA512
5c22f3bb18349f4f4548683800e272af846850ee6aad3de7c624e8b94d4a35159059e503d1edabeb8157349a64e5b8a62855bf6df1e7b61e4ade8de5f02aba2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
cd7dc615fc02295d02fcd379bfb88f5d

SHA1
fa8f31b1df82911163bfe3e019290306653a4ebd

SHA256
61e746e9afb7be28dee7b6db9820030783b6d8fab9678731bdf3f678d6191a97

SHA512
9f13f55b3a7bfab660755348690711191ec02e084314d943de97c8ddecf4889afe04b0e45cdd5fa1a1599e77f7b4b75774ac93448f40f9cb0a0f8c9679a2c8c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58990f.TMP

Filesize
98KB

MD5
9cb5ec1f8d3d16b834dc51b03d099b6a

SHA1
e131aac6d7728768ad0490f6ce6937fdc6ffaf20

SHA256
db3689daf19e3e4ca3a538babd3df1b2023858643dd425c846cd15ebb0c5e9d4

SHA512
90650cf6975ee0f3945d97ed7bf8d132be455d107781f4cf0b1a6dbdc163fe8eaa65d31b57bf9f2422bb188055e44bb67daacdc5c4a6c37fb811aad42a6765eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\MEMZ.zip

Filesize
8KB

MD5
69977a5d1c648976d47b69ea3aa8fcaa

SHA1
4630cc15000c0d3149350b9ecda6cfc8f402938a

SHA256
61ca4d8dd992c763b47bebb9b5facb68a59ff0a594c2ff215aa4143b593ae9dc

SHA512
ba0671c72cd4209fabe0ee241b71e95bd9d8e78d77a893c94f87de5735fd10ea8b389cf4c48462910042c312ddff2f527999cd2f845d0c19a8673dbceda369fd

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit