hxxps://github[.]com/pankoza2-pl/malwaredatabase-old

Resubmissions

25/03/2025, 17:08

250325-vnlkpay1fz 8

25/03/2025, 17:05

25/03/2025, 16:31

25/03/2025, 16:22

25/03/2025, 16:13

Analysis

max time kernel
145s
max time network
259s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 16:31

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/malwaredatabase-old

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Disables Task Manager via registry modification
defense_evasion

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
22	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MS 0735.6+7421.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MS 0735.6+7421-safety.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MS 0735.6+7421.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873939401727859"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5672	reg.exe
4848	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MS 0735.6+7421.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
5744	chrome.exe
5744	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeCreatePagefilePrivilege	4008	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2012	MS 0735.6+7421.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 5804	4008	chrome.exe	79
PID 4008 wrote to memory of 5804	4008	chrome.exe	79
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 3536	4008	chrome.exe	80
PID 4008 wrote to memory of 4332	4008	chrome.exe	81
PID 4008 wrote to memory of 4332	4008	chrome.exe	81
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83
PID 4008 wrote to memory of 5432	4008	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/pankoza2-pl/malwaredatabase-old
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2a8fdcf8,0x7ffb2a8fdd04,0x7ffb2a8fdd10
  2⤵
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1944,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1428,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2228 /prefetch:11
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2336,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2352 /prefetch:13
  2⤵
  PID:5432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4048,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4184 /prefetch:9
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5440,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5408 /prefetch:14
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4880,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4712 /prefetch:14
  2⤵
  - NTFS ADS
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4672,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4612 /prefetch:14
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4648,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5764 /prefetch:14
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4640,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5804 /prefetch:14
  2⤵
  PID:5940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=1052,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=6080,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6244,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5792,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5784 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3132,i,14373790028038067950,6548426931894349584,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3136 /prefetch:14
  2⤵
  PID:392

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4512

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\MS 0735.6+7421\readme.txt
1⤵
PID:4916

C:\Users\Admin\Downloads\MS 0735.6+7421\MS 0735.6+7421-safety.exe
"C:\Users\Admin\Downloads\MS 0735.6+7421\MS 0735.6+7421-safety.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5980

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004DC
1⤵
PID:1540

C:\Users\Admin\Downloads\MS 0735.6+7421\MS 0735.6+7421.exe
"C:\Users\Admin\Downloads\MS 0735.6+7421\MS 0735.6+7421.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4404
- - C:\Windows\SysWOW64\reg.exe
    REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4848

C:\Users\Admin\Downloads\MS 0735.6+7421\MS 0735.6+7421.exe
"C:\Users\Admin\Downloads\MS 0735.6+7421\MS 0735.6+7421.exe"
1⤵
PID:5480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
  2⤵
  PID:252
- - C:\Windows\SysWOW64\reg.exe
    REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - Modifies registry key
    PID:5672

C:\Users\Admin\Downloads\MS 0735.6+7421\MS 0735.6+7421-safety.exe
"C:\Users\Admin\Downloads\MS 0735.6+7421\MS 0735.6+7421-safety.exe"
1⤵
PID:1416

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\MS 0735.6+7421\readme.txt
1⤵
PID:4900

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ca855 /state1:0x41c64e6d
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5a4554810269405846a79ae14e6b85c6

SHA1
481b3493c0f3594eda0800a7f6c7e523d756f72c

SHA256
fb4d57b8420c3ecbea85342182ecda691d76c3c05c5c18af38c26fbd55a51742

SHA512
627c721d70c21a094439296dbcb8b52688097632f2c51cf2de3e0b8ff44c72814db8a51b8af10927156aa4e9ed8fec9ea0486fb43ee8f6b898a4a0b238265ece

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3b5176ae958b741572035969b8dacd7b

SHA1
b16f743fc5b39b052a937d4b9b89cec949f331ba

SHA256
dc447822d0845b325117bb8daa1ceaf49f9a1f681d1d0aaeaa3f01714024a2e7

SHA512
bd33a215849fa81e079ad9f2c853ead4e905070f54bd577adca2b3a1e2205b0f0994dae03aaa2f3723f06acd21766bc32aea02fa2aa76faa17baf9ee78b77aeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8339beb84b406200c521ed530eac9890

SHA1
474d34db91a735cd52e46eec604e31ef6bdf4377

SHA256
284abf5cafbdea8bcaf53037fda297bf67773c59b12d036ab7b2b98f5f0359b6

SHA512
8f0e0964e447b404d5417ddf9e1afa0d1f341260523bc05d67368e6daa63fd2f59028a49c50a489d7855c7af432f8415884d3eba04755a1b90d5c39be4b1d4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
4fdd09e1f1d63a799954fe8b9e71b98a

SHA1
48b697d53219ad523025b382c7ed530900afe8b7

SHA256
f697c316bda498d11289edf5bb9a127e359222483eda9d51f071a445bce63291

SHA512
e35b0bd4d93af73205eb660252bf415a9e769cdecf66fa6b36928031ff340c309232f5c3130f0927428bd490f5746340b704003d5927a36bf42c89448b6056a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
51ab9a086841ccc892ee43a1662b0589

SHA1
b42cf2aaa514fc12d5ec16c7fe550ce1f1c41c7c

SHA256
447e772eee854ecb157ae658d116685863d3c2267f86b1358b5c219b867e18c1

SHA512
c0fae7844bc96d72921b65283afaf3ba434af691aeafecac3833be2c7119c2b220e5b3bf8841244ca37b3032a714878417dff10860c47c38aa23b7421fad08bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ef4b63a0e0c9c3ed918855e75ce3ad87

SHA1
ffb45791b1c4e1af9ef658928d7109f1c57a0976

SHA256
5dc407dae0aa52e4720b9273e6bae32e1c5525c81316a128fc1f4c0156b0a386

SHA512
33e6d9a9acc749a576e2817a70bbfde20f94e131b5af5be1d5e62800b734f92c633a63952e739f19a39cd1b4126b376d0f288900134b5facdaf84bd4d1723516

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9f32208b69a8a0e5f4825aec2256bdf2

SHA1
47d2403803dfdf4d1c79fed22764fe10a8398fd2

SHA256
2c48eecafb5d3a1d698e10720bf2dda24afdcf0c4fa716dddca06e99497636d1

SHA512
949609b7b690f21c59a773dff3f4c4ae9d0e9449a3309a79cd2b69d0fa434d868721cc3815ad865c6a8e0adbd1f0abb5c10e6c09b859121c44d31c40bf71a452

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d04e51908dc246096b356d342c8d31ef

SHA1
843d913211e6368fa1ebc09cabe9209790fd044d

SHA256
534f3b58a9de6f999af9a1bef95e3c5e528dac603775a849ee194498bf3eb295

SHA512
7898cb63b58aaa02097330bf4a2ac88563e3dbdccb440559f9b965d3b4c10fce6b5805f17721c661823e306d6e224ed1a59b96094bee2ac841fb1ecd3cab2e01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fd9fca138d7737c844ea54477e0af739

SHA1
7fb9f9526cec88cdd0335e9ff2e7813301b06720

SHA256
1f124c3f290e149d4e773e4241117f7232461d102f8cff8f905bab3e7b504396

SHA512
493f40daf85364f312a6cf960735cafa7c8cb05b1c8591f3d97cea4322ee4a49aa070635436a5170b19b967b5ec8ac84fb1254b6553e93a48b6e701728ac72cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0c4ee74392bcb9c2651fb89da5d6ea38

SHA1
3b0c059f0763113bc1f02ff5dcbc7ab421b9bb30

SHA256
271186f51c93e49b8e397d63570f77ed64355ad873c825457f56c4be696da869

SHA512
0c69717b1882b08f112a904faf5b582497a6ba83dceeb00e15c8522c1557dc55e25ee27713984c27e49a24c9d84606c6cb4edd41168ee16587e07a3402257080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d84e16723e6ebf49c25e99bdab2adcd2

SHA1
7517072bd37c21812676368faa73738846004a90

SHA256
83f181a139b296cb71912e357dc12b2163f000d6ce90eeef9fd2efc87d4fa7c7

SHA512
d918d269c062e471c0dfd7533c726fa43ac69b1136c40841ae6bf79c3c07988f433e7aeaaf9115a9eb1be70b2330d23cbd366bc6b6d46c1dda976b1b18644c43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b3bf.TMP

Filesize
48B

MD5
86d3cca6a56cc25b0b60d6d9cf578892

SHA1
bff35535df888514c3c286952883a44f52f2075e

SHA256
4f581be5ccff98238a2c0cb2f41ca2084f0374c7bac0168fdbd33a3cb736e4a6

SHA512
f02f832638013da9d41518231a90425cc1112713cba3038ad6b5fcc29bcf1160ae9161b58ca106e5563454807773d46fc52073f0f2bcb847aa823db92aa01989

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
98f33a21a570414e8f23bc1521d7abca

SHA1
a91056473af6c652cc7a3913abd7528b95d2a777

SHA256
0baf9eb511fe5e46417b17038b73e8755df43e863aca14c4dfd6d92c1c22124c

SHA512
1460b10b7bd84a73553937edfc9ef0c78316d0bef56a11fb815bb4b6cc49cc4c1828d17b8e5bae05f2d504b5141ef70729e0bd11f7f68e46119fe1f49fc55b95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
ee9709744398e84e306a9dc21b3d49b8

SHA1
e630a882053adb507ddfbf7d7a235bfe8e634d75

SHA256
acf22dc5ae1c71160bcb7d3cfd2325860420613bd11e85875b7ce779abcbbfea

SHA512
9edc3d93c873e42b37e063b80c3f3bdfe3d138f42d3fae2a3a6133ef199122cd978e966efd2451b1191b4a3922b1f5ac03bb01b201580b91c87cec66b4c7ea36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
bf302ec3c31477a3f6672d2d3ffb2de6

SHA1
ac0b75fe586a0d187b871fe3028625a89a9bf27c

SHA256
584bb3c7be20105566a7781902c599a14b6ddfce0cd805cf8c4cb631a9cdf6b5

SHA512
d279cb4e2991a8f6a6079ddfb47ee2538abbbc9fae7b522ff2ae9268e70e326d11a87318004bca144e6a96a7237c98b96b90d80c31284eaa715e9a6631cc123b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
141119211a3c6dfd87bf1716b95cd2b9

SHA1
9b0c197f0c1ac3f2d3e6cff1c7aeb257867f916a

SHA256
4dd70d709faed3868a7121c370eeab6e43fbbda505402a35d6802e14123d478c

SHA512
22d790dd844dcdddb6d76c4dd27013832079dafcee0ecae806e091806f56d1b5c6ef4b21770da7828a5294efa6e73cd2b4d7277fed2baf52548bb9aa0a1f5155

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
6b960eb719cf81fb63798294baf17966

SHA1
781ffca716215b30f2fc03d86d4dc0f7f0ce64e9

SHA256
9c0455ccbc8a2324f765a144bb2d4a8aaf1a12e893f9e8bbe65abd9cc3c58e52

SHA512
190b69b92c9af4ea2bc95fff0f661ca0f17576f3ed0d72928a1e851d1e1992161dfe338e5f90e617f1c11ceaffb399414d24baaea5c23d73f3dbb2070bc2ceb4

Download Submit
C:\Users\Admin\Downloads\MS 0735.6+7421.zip

Filesize
112KB

MD5
1b3cf59e94f7d599ed2d54c1f82acb5a

SHA1
10d84b9096c92331106212af9a88cc7f8119c458

SHA256
57c3e5002750b9da9dbf7526a1288bbd84f339fadc16f828ef20d1889c51e483

SHA512
113328d190125c1dd0f7b5dc323a68c41f5a98c1afbec51e414c5f2776097bb1daf44af9aa58acb221c82c11e68b580f414ead1cf8184caf28da259793555a45

Download Submit
C:\Users\Admin\Downloads\MS 0735.6+7421.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\MS 0735.6+7421\readme.txt

Filesize
454B

MD5
0e95afedd9e73caffd9e7fa0fa8a9982

SHA1
9286cf093c4a99e39c677cfa13a51e7eed739364

SHA256
d362adad2a4b7cdfa9aecc2d749e27b930471c8bc0dd750c61f61914ae81926e

SHA512
c54b6b17e349ba92f7b4878ea7068c690e5ad926476e09425ee01b2c56de26085c69fdbde04c2a51198a779e1ef77de2dd10ca4d5cf68bd51a766499feef84c0

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads