hxxps://malwarewatch[.]org/

Resubmissions

03/04/2025, 17:22

250403-vxwr1szzax 10

03/04/2025, 17:16

03/04/2025, 17:12

03/04/2025, 17:08

03/04/2025, 17:05

Analysis

max time kernel
136s
max time network
144s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
03/04/2025, 17:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://malwarewatch.org/

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
159	raw.githubusercontent.com
160	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	[email protected]

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133881735363574260"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-780313508-644878201-565826771-1000\{760C30B8-CB33-4F9A-80EC-BE00238B6C1A}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
5880	chrome.exe
5880	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5032	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 1352	2812	chrome.exe	82
PID 2812 wrote to memory of 1352	2812	chrome.exe	82
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4284	2812	chrome.exe	83
PID 2812 wrote to memory of 4060	2812	chrome.exe	84
PID 2812 wrote to memory of 4060	2812	chrome.exe	84
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85
PID 2812 wrote to memory of 4032	2812	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://malwarewatch.org/
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffb7378dcf8,0x7ffb7378dd04,0x7ffb7378dd10
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1848,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1592,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2352,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4464 /prefetch:2
  2⤵
  PID:5184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4708,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4868,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4896,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5620,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=6072,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3272,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3280 /prefetch:8
  2⤵
  PID:6000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=500,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5900,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3420 /prefetch:8
  2⤵
  PID:5972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3236,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4580,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5908,i,5032348111782728157,5215094051893970572,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5880

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\231e0233-1f4a-44d5-8b0d-9a68953cb894_Petya.A.zip.894\[email protected]
"C:\Users\Admin\AppData\Local\Temp\231e0233-1f4a-44d5-8b0d-9a68953cb894_Petya.A.zip.894\[email protected]"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
20bdfa8e2312bd5e9da4a7df26996ff4

SHA1
bb572ba8f61391ad3cf0d5515fdbac2b2593330b

SHA256
5ce0d1be522f1953573b149d0f11e618ce3918cf72c138856086672d3514b7b7

SHA512
39b55d80735afc5fe046086435c4feaff1050b27fcdf51f7ff77ca50c016ec5192a3d501bba9b2ac5299b75be83763fa60950ff22af6ff6591816ce73528c863

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
04ce0bd4fbcb1c69f2c5e7a394a0c53c

SHA1
1ffa56b3040b4e94c4b01f7ff00777a12bad0346

SHA256
6be8c97df866fb2d20d73ebc0067b48224e596806a991ea5691defbce3565cbb

SHA512
215dddde4158fc9be30a0e2185e96deff575066537f52793fb38f325e9f3c11769dc0c25a265df4cd56240cc6e583adc64647389d830192d29897011e00b1da7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
09f700ec3405fdeab129c24a3c369353

SHA1
5160b3c17ad53870feae07bbcd6a5ad65c4aac59

SHA256
8df07765006d708dc40729f0447f7dc23da77858fd8d084b506942f86fbd1032

SHA512
8ee2f736bcf53a9ba28e703d939a5c2bd09db11b5e6cb2ff9ea478e170aed92ce6e223939ca8c51a855b16032d3fbb71bef3b7e55632faad933ec1259064b381

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
de04b98e461353abb4109c984517284a

SHA1
59aaca5ddd3d9b3d52a436b6697c4ec6311fee04

SHA256
d69fbbe828b9396102c47f4199ee33b4b2e3222508b946824935db90f6044182

SHA512
271eaded33001d66bcb70c1e4b7a9b37afb5714b070e1854f6bd42d8ff665c3af7ae7853baeaf283b6b1fde23649e965b907e37405cd726a6ed886658ddebed0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
074f750f53184e0997f305bbc4ef7e78

SHA1
22f562aab40f0303ef313032d12451635a537845

SHA256
e2fa70d9d42ebd3d88bd3fb11839378b2ac2ae729862d7cd74fffbc3f12f522d

SHA512
4298301c0b8cd02faf253f6af48156cd7fe4dec9debc2e5d6cda5126aa36a9415c1dbcab9cdb27ce916e60f6e2a0806117f8aa5f9919b5327c20a2a9ea843b0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
093295e6c63cac1fc5bf44b54cbefd7e

SHA1
78b8d65c1dda729073a7da88556b132bccca5964

SHA256
0836d675273b5b47d2f31cc71e1be3d7598989877f8932b3dab68325ada5f0cf

SHA512
631af8e54ef0b92696f6982d1ff63723051e22a5d47367d841ae84f4383f44531a97506c84ad92888d62f2f75809ea8a07b64c340e6d2b48407ff10a55d7c6aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
57fb8169cc563011a88f2379abe5b76d

SHA1
b6b62f98bbfb11ccc2417b624d2880e91de0adff

SHA256
8245c09d78fdf3dffa9a745e13eace05f172112ae22f800dfad710db1a52c31b

SHA512
8c279274101a5c4aefeea0c7ecd1cf4d50a3ff03d87f9cb336b52594b82716b438414214f4c2a52c819bccd7b427b58be6193fd2bf235aa36cb5229f3327903f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
cbef9bb9f4ec621c651f6ed8136879dd

SHA1
12a1e35732bbbf2ebe862c3b7779d5160da7a29d

SHA256
57a15b20f949ac8bfa81acbed8ec489e7f0396b91a5b0ed51fc24aa2fd789f4e

SHA512
c389a89f09c3d360f7d3131db320984eea44ffe3d5b6a0dfc8d39852fc4896bb229f395698b6344a887b1e310a985c093574219de12e91502462745b1c727347

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a7ad28cd46122c96498b22404cb784c7

SHA1
01153872a010dc6e8ffed9891765012c49095ec7

SHA256
76635f7dd41732f2522107f378dda3f551632814b9cea79dcf76665fb10e1948

SHA512
1c310baa2aa3c0c45956355bb836ebc80a907e6f730f4df122a0ffac7cf6758f1dbba2463cbf8edf430622b7acecaa55ecd020e4d740949e121fc5d6e3cf8719

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b8469d4794c4569204ca8af549b0c0c0

SHA1
d33a31fce1084b1d4a254ec3573d3acfcf4c1d6e

SHA256
3716a9d245ad9185cbc05dc231e96801a023e097313e204809d4474eea5e9774

SHA512
fa1db6846603e3e819ea50992cfebfd42c6d9e76452e759aae5ee12537f23ac6e7a150ca3d0a92765efe00b1017f2bb822037613741ea2d3593dfb87d2c79dd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
bd5520d041a1580312ee6f125d6ef0be

SHA1
81598f66c9f206877b4fd7ef7e368b04fad604b6

SHA256
dc523bb065a33a664866eacc1ea67ceb8f1d1fde97b5ee06ad773edf0e5f7812

SHA512
a7616cb3ce40a3c980aa633578ecfb41587d5eac5d086a45b975cd033f6cb75eb9c3115b4c67f5599f14cfd48e1a4f1c21830135a54069c861614146dd7291f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ca26.TMP

Filesize
48B

MD5
a82d510d66c7b6edc0bd01d3e7c4c357

SHA1
abc539281c33a7e01e355b74cea0aa666e6e743e

SHA256
1b4030d83384846aa7a464faf0315b6149372327e425b30a106d9a584b7cc358

SHA512
f1935f271827e868154f8be4087881ff3b3be78080ce29d52b02fd3df2c1f33efd578ff4f50c4efdbc284de483cd8764af91c66dc1808a884adf417e15f945ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
82B

MD5
9c12ec41b948e46a5108b7dbfaf1d16c

SHA1
860c5126809bae1950aa06800c5c1bcdf05f6c53

SHA256
34291f16a0ca09f3129132c388fbf0d909778432ae92059c6d85f77a622dc004

SHA512
a93099ce7e7896b91fe111c44df3beece4828d40705f08f403c63502cf778822f276a3d40f01bee3433b8b1de32cfeef9c8b445bfcfaf56befae6b3ec43f463c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe577927.TMP

Filesize
146B

MD5
201a29d419ede85b8ed75123fa512edd

SHA1
313afe47d14cd3ce278958c4c75c9d6802ef601e

SHA256
e0a29f5f7db46357c10acb84af3cba3a8c8d14a7d5c56b0b02cdcc5cbd66ebd7

SHA512
2ef30aaac8627861b34ffaa9dec4d6153b9132346e1a4ffa56bdc70f17a1dbf757ea88af4dbe7d3a257a14e87d6445d22c6447c4f9504d0be37fcbce8fbf5a0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
f69f5a40bc294f49d3ceb027bcaa2fb8

SHA1
a40dd4941acb8254ed7ebe0d7489f5e391f46975

SHA256
b279e575b0980f491899211f076529facd6311962cbf53ca7e40501df8d19b65

SHA512
e03ea650ac2416c933691d656c6eb683d29888e1c91eedd1d4873639e0b57d80de8abb13cdd10b2e1414d93034039e325754f19acced0c1c32827544e390244e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
b688a319950b274526b56644a9204b64

SHA1
0e2b7406602a96f32b3e08e963df11b21ded0868

SHA256
fb73351fba1636fb5b027c32271bac43a1b6a13de23770c3f56784163665ad5c

SHA512
9e383639233bef50922d8603dc8e79a5d70b066d7b12ee9298fa7bf921a4252715fd30a24093e505d5e7c2751b28d1e7d2bd3cc8aa7c669f5c3fd4cfbcbfa8ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
3149008bbc5dc0abddcf930b632546e9

SHA1
dd2edb98318e0e5d31263fc4605e882b2837f0f0

SHA256
f1f9975f7358e0935054c591e5828fb16242c897a8e8d5e5d318ff0db380eb33

SHA512
cba72fa317f55d1962efd458f2628286171140f41d32a3a036b744dde72ca879ea2470f5b4d971f5f1e1b60a577ee3bdc679e8cde3f24a68448708bc6e37d96a

Download Submit
C:\Users\Admin\Downloads\Petya.A.zip

Filesize
128KB

MD5
1559522c34054e5144fe68ee98c29e61

SHA1
ff80eeb6bcf4498c9ff38c252be2726e65c10c34

SHA256
e99651aa5c5dcf9128adc8da685f1295b959f640a173098d07018b030d529509

SHA512
6dab1f391ab1bea12b799fcfb56d70cfbdbde05ad350b53fcb782418495fad1c275fe1a40f9edd238473c3d532b4d87948bddd140e5912f14aff4293be6e4b4c

Download Submit
memory/5032-639-0x000000000041A000-0x0000000000427000-memory.dmp

Filesize
52KB

Download
memory/5032-640-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads