hxxp://schema[.]org/extensions

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://schema.org/extensions

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133765880873592536"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2032	1520	chrome.exe	82
PID 1520 wrote to memory of 2032	1520	chrome.exe	82
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 784	1520	chrome.exe	83
PID 1520 wrote to memory of 4304	1520	chrome.exe	84
PID 1520 wrote to memory of 4304	1520	chrome.exe	84
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85
PID 1520 wrote to memory of 4192	1520	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://schema.org/extensions
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcfcd8cc40,0x7ffcfcd8cc4c,0x7ffcfcd8cc58
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,10792273492741804057,5976202082625880746,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,10792273492741804057,5976202082625880746,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,10792273492741804057,5976202082625880746,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2332 /prefetch:8
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3044,i,10792273492741804057,5976202082625880746,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3064 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,10792273492741804057,5976202082625880746,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3816,i,10792273492741804057,5976202082625880746,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4740,i,10792273492741804057,5976202082625880746,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=728,i,10792273492741804057,5976202082625880746,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1176

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5c5fc13e1ffaa2f739776ff47404d10c

SHA1
5cf980d0092a3efb253d3494d219e5aed3c9b9b8

SHA256
f5b03fd51f9da0b56331cb3e349dc54ffa97f6ff630b89915c297e0159a455cf

SHA512
b19c1f731a25be766647cd5b94652832e857f333edcb890d8d01ca38c40515209e6af0ecb8692db3a3ea0e2761c6442e6b34ace614934f27228567973cb1fb57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bb90031e4510209dcc2c469373aeb19a

SHA1
901bc578afdce64704cf170fde7aec845d9aa0c2

SHA256
e7d9745533927d9db329488d6422432e13fbbaa4d29e3486f060cde2224fc983

SHA512
c8edf42666dae55c1c0456b56f2c1206f36d7c141fdd46d042c642bc659bd20806ff75634197986bfe61230f79403b15c16a26ace0ea4491b592fe9823935e0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d3fa1122481aa85cbcc4c5965bc1a748

SHA1
daffbef44008d9a6d0e266c5bf5e9d6c5b935aa4

SHA256
8e00cd9cc73087f9ad7b8a69d11441031d31dd7b92ba4b8c305906e841698c0f

SHA512
7d365180fb98d8f2453e686c87b305c9fad07498980c4dbde3b545f523f074258dea73ed5917b85926381ad71e7ec4826ecd0c1258a065f4666e6fe6dd0057fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c38a5c1930b6d692d66c82cc648190b

SHA1
0e6124f4c616c69a0f7f58fb99f53436b634a387

SHA256
9848c31db0ee70d645eb258c90165c1cf9909c1977226b9bff5af499030f6640

SHA512
54d36836cc9322f37c78bd7456a2c99ab95cac5c2f51dfb9abaad109256c0d678f62109e7d79f03c42e0d3d1c8ba2e1ee234ca7353e0cc6e0e01e3de7cddbd48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f81f3c7ae610dfde4f2b6fb9ad400501

SHA1
a74a6bf67ef9c9c03d6553e34043b974814b131f

SHA256
157924963a45d0f2264c8f9c06d7cadb2dbfb095fdff7d8a83e5bc375b1d6263

SHA512
79a3a52f33ca2981e3295a35689b35312ab1613229e4b6bbc1173eb6de772db0c13bf177bafad817d81a34860d4f05fa55d53b87617dfaa4f329bceb76c2fa1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5d846379a49458781a1d341fde03a9df

SHA1
f7f723aea22323b176798d46fbcc5787e7e60d99

SHA256
d38b0604ed3a0eb12c84be9c64f4699bb4d0d2df254d43b75945aaa5317f9894

SHA512
9ed141509298365aa300a653b788d392029a17df29f363aebf7040288ea48365732144e73d8469d10cbc0a3b373f880935b5851e6a93a8922cde5cd61725c051

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
f6c03536509cb5496682a1f2f73f894b

SHA1
042c5c69d7a2ab6aaaff2ccab264587a04c57b87

SHA256
338e5931314fe9a33d423e21ba19aa82465aa052a44d0e509f545ce647c16724

SHA512
7d4d977124897f5de7d67a7ac2dadcf2112837836af2b01ae0421d4f0b75947462a1e3840ace787edc9c0855bcb93ff2e4c69d4824e4e980c6ca7e357ad3996a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
cfbe6ca414c6299d3a06130613902791

SHA1
4781d220c7fdd9eb710c0c06c248d0b77d8cb3f5

SHA256
c7b2b45faf556d746125c468a138ae1464dd6ef58fbed556dc4a6615d971e4ac

SHA512
356836ec540dcf41092bcf88e5472b0206d7278f81b1e2c2b71456a27c251d1841901f4bd559ab4e9a9b304e6a9f007621eb19fb24e5c59fa362fb4bb91e544b

Download Submit