hxxps://bazaar[.]abuse[.]ch/browse/tag/CVE-2021-40444/

General

Target

https://bazaar.abuse.ch/browse/tag/CVE-2021-40444/
Sample

210915-gx614ahhg6

Score

10^/10

macro

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

calc.execalc.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1832	3264	calc.exe	WINWORD.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	5356	3476	calc.exe	WINWORD.EXE

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\50c73c28604e84cab667fa5410543430286441991f0968f6de312a2b415c97fb\50c73c28604e84cab667fa5410543430286441991f0968f6de312a2b415c97fb.doc	office_macros

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEchrome.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 3 IoCs

Processes:

chrome.execalc.execalc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings	calc.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3264 WINWORD.EXE
3264 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
2640	chrome.exe
2640	chrome.exe
3972	chrome.exe
3972	chrome.exe
5040	chrome.exe
5040	chrome.exe
4836	chrome.exe
4836	chrome.exe
6020	chrome.exe
6020	chrome.exe
4640	chrome.exe
4640	chrome.exe
4788	chrome.exe
4788	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

2128 OpenWith.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description pid process

Token: SeRestorePrivilege 596 7zG.exe
Token: 35 596 7zG.exe
Token: SeSecurityPrivilege 596 7zG.exe
Token: SeSecurityPrivilege 596 7zG.exe

pid	process
2128	OpenWith.exe

description	pid	process
Token: SeRestorePrivilege	596	7zG.exe
Token: 35	596	7zG.exe
Token: SeSecurityPrivilege	596	7zG.exe
Token: SeSecurityPrivilege	596	7zG.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

chrome.exe7zG.exe

pid	process
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
3972	chrome.exe
596	7zG.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

WINWORD.EXEOpenWith.exeOpenWith.exe

pid	process
3264	WINWORD.EXE
3264	WINWORD.EXE
3264	WINWORD.EXE
3264	WINWORD.EXE
3264	WINWORD.EXE
3264	WINWORD.EXE
3264	WINWORD.EXE
3264	WINWORD.EXE
3264	WINWORD.EXE
3264	WINWORD.EXE
3264	WINWORD.EXE
3264	WINWORD.EXE
3264	WINWORD.EXE
3264	WINWORD.EXE
3264	WINWORD.EXE
3264	WINWORD.EXE
3264	WINWORD.EXE
2128	OpenWith.exe
5372	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3972 wrote to memory of 3672	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 3672	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2880	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2640	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 2640	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe
PID 3972 wrote to memory of 696	3972	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://bazaar.abuse.ch/browse/tag/CVE-2021-40444/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=93.0.4577.63 --initial-client-data=0xa8,0xcc,0xd0,0x44,0xd4,0x7ff9aa52a380,0x7ff9aa52a390,0x7ff9aa52a3a0
2⤵
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 /prefetch:2
2⤵
PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 /prefetch:8
2⤵
PID:696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1
2⤵
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1
2⤵
PID:4124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
2⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
2⤵
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
2⤵
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
2⤵
PID:4288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4968 /prefetch:8
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5656 /prefetch:8
2⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3140 /prefetch:8
2⤵
PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:8
2⤵
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3116 /prefetch:8
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5656 /prefetch:8
2⤵
PID:4324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5800 /prefetch:8
2⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5844 /prefetch:8
2⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5816 /prefetch:8
2⤵
PID:4128

C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel=stable --force-configure-user-settings
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=93.0.4577.63 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff62f4a6ee0,0x7ff62f4a6ef0,0x7ff62f4a6f00
3⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6024 /prefetch:8
2⤵
PID:4340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5932 /prefetch:8
2⤵
PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5304 /prefetch:8
2⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4888 /prefetch:8
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3136 /prefetch:8
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6252 /prefetch:8
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6428 /prefetch:8
2⤵
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6440 /prefetch:8
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6396 /prefetch:8
2⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6676 /prefetch:8
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7084 /prefetch:8
2⤵
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6388 /prefetch:8
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7336 /prefetch:8
2⤵
PID:4128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6980 /prefetch:8
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7212 /prefetch:8
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7480 /prefetch:8
2⤵
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7004 /prefetch:8
2⤵
PID:5220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6556 /prefetch:8
2⤵
PID:5252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6996 /prefetch:8
2⤵
PID:5268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8388 /prefetch:8
2⤵
PID:5364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8508 /prefetch:8
2⤵
PID:5408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7980 /prefetch:8
2⤵
PID:5500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8012 /prefetch:8
2⤵
PID:5520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8252 /prefetch:1
2⤵
PID:5612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6088 /prefetch:8
2⤵
PID:5628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8144 /prefetch:1
2⤵
PID:5780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:1
2⤵
PID:5832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:8
2⤵
PID:5964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3944 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=808 /prefetch:8
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,2104034422043790791,6270851748410126478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1476 /prefetch:8
2⤵
PID:6112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6132

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\50c73c28604e84cab667fa5410543430286441991f0968f6de312a2b415c97fb\" -spe -an -ai#7zMap15209:190:7zEvent3483
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:596

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\50c73c28604e84cab667fa5410543430286441991f0968f6de312a2b415c97fb\50c73c28604e84cab667fa5410543430286441991f0968f6de312a2b415c97fb.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3264

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
2⤵
- Process spawned unexpected child process
- Modifies registry class
PID:1832

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2128

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\50c73c28604e84cab667fa5410543430286441991f0968f6de312a2b415c97fb\50c73c28604e84cab667fa5410543430286441991f0968f6de312a2b415c97fb.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3476

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
2⤵
- Process spawned unexpected child process
- Modifies registry class
PID:5356

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
2933cbbf2e0e72d360c3420c925c3de0

SHA1
299abfaca26b44dd22d2d03916973a903fddaabc

SHA256
c07a487728e60306f38a3a32c1dba3eba09b28e2efded34a7a449e5619879927

SHA512
d711a1438f5d3946279c98231fcd07637de2868a00445ff117be82287b406dfdf2110d951fa6e09d0cd2f73ff40e78e76d51fff5c0570eb3b86e6c284de0734e

Download Submit
C:\Users\Admin\Downloads\50c73c28604e84cab667fa5410543430286441991f0968f6de312a2b415c97fb.zip
MD5
bc41ee17f301bb6309f7b997768530c3

SHA1
786fbba2f3c04f9ab2c552074ff4da370ad83df2

SHA256
1adc9b5da6a9ccd81a211ab3616220b00626a4d64a19f46a00d81bd14862fb64

SHA512
0de865eb209c2eb2764b41cc8aa0566d81003090c21e751ee1077743ae113e8a4afcc2ca3193f127574c1d751058d71d0b6681b2d00b738d0627fc3652aaec46

Download Submit
C:\Users\Admin\Downloads\50c73c28604e84cab667fa5410543430286441991f0968f6de312a2b415c97fb\50c73c28604e84cab667fa5410543430286441991f0968f6de312a2b415c97fb.doc
MD5
f2028343532bc51699eeddb287ccbd83

SHA1
5740d2af676fc45392e8e1aebabecd45afe2e369

SHA256
50c73c28604e84cab667fa5410543430286441991f0968f6de312a2b415c97fb

SHA512
d811102983bef3b93c4edc403c7afcb8361d25c4cb6814d0b266bb08df2a9c9a5ecfea1a066425f77739505816527cb004e2f1318b05be749816a7f54b87a302

Download Submit
\??\pipe\crashpad_3972_QJNIWPEYEDABZRGG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_5048_WFGNOMYHPZTFOOBW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/696-129-0x0000000000000000-mapping.dmp

Download
memory/1832-437-0x0000000000000000-mapping.dmp

Download
memory/2640-123-0x0000000000000000-mapping.dmp

Download
memory/2880-124-0x00007FF9B2DF0000-0x00007FF9B2DF1000-memory.dmp

Filesize
4KB

Download
memory/2880-122-0x0000000000000000-mapping.dmp

Download
memory/3264-404-0x00007FF973020000-0x00007FF973030000-memory.dmp

Filesize
64KB

Download
memory/3264-406-0x00007FF991000000-0x00007FF993B23000-memory.dmp

Filesize
43.1MB

Download
memory/3264-644-0x00007FF973020000-0x00007FF973030000-memory.dmp

Filesize
64KB

Download
memory/3264-643-0x00007FF973020000-0x00007FF973030000-memory.dmp

Filesize
64KB

Download
memory/3264-642-0x00007FF973020000-0x00007FF973030000-memory.dmp

Filesize
64KB

Download
memory/3264-402-0x00007FF973020000-0x00007FF973030000-memory.dmp

Filesize
64KB

Download
memory/3264-403-0x00007FF973020000-0x00007FF973030000-memory.dmp

Filesize
64KB

Download
memory/3264-645-0x00007FF973020000-0x00007FF973030000-memory.dmp

Filesize
64KB

Download
memory/3264-405-0x00007FF973020000-0x00007FF973030000-memory.dmp

Filesize
64KB

Download
memory/3264-410-0x00007FF973020000-0x00007FF973030000-memory.dmp

Filesize
64KB

Download
memory/3264-414-0x00007FF97F040000-0x00007FF980F35000-memory.dmp

Filesize
31.0MB

Download
memory/3264-413-0x00007FF980F40000-0x00007FF98202E000-memory.dmp

Filesize
16.9MB

Download
memory/3632-137-0x0000000000000000-mapping.dmp

Download
memory/3672-117-0x0000000000000000-mapping.dmp

Download
memory/3724-318-0x0000000000000000-mapping.dmp

Download
memory/3944-295-0x0000000000000000-mapping.dmp

Download
memory/4100-288-0x0000000000000000-mapping.dmp

Download
memory/4124-141-0x0000000000000000-mapping.dmp

Download
memory/4128-230-0x0000000000000000-mapping.dmp

Download
memory/4128-304-0x0000000000000000-mapping.dmp

Download
memory/4140-210-0x0000000000000000-mapping.dmp

Download
memory/4140-310-0x0000000000000000-mapping.dmp

Download
memory/4144-250-0x0000000000000000-mapping.dmp

Download
memory/4172-313-0x0000000000000000-mapping.dmp

Download
memory/4184-246-0x0000000000000000-mapping.dmp

Download
memory/4184-200-0x0000000000000000-mapping.dmp

Download
memory/4212-148-0x0000000000000000-mapping.dmp

Download
memory/4232-151-0x0000000000000000-mapping.dmp

Download
memory/4244-205-0x0000000000000000-mapping.dmp

Download
memory/4256-156-0x0000000000000000-mapping.dmp

Download
memory/4288-161-0x0000000000000000-mapping.dmp

Download
memory/4324-215-0x0000000000000000-mapping.dmp

Download
memory/4340-242-0x0000000000000000-mapping.dmp

Download
memory/4352-275-0x0000000000000000-mapping.dmp

Download
memory/4640-393-0x0000000000000000-mapping.dmp

Download
memory/4772-178-0x0000000000000000-mapping.dmp

Download
memory/4776-220-0x0000000000000000-mapping.dmp

Download
memory/4788-407-0x0000000000000000-mapping.dmp

Download
memory/4804-183-0x0000000000000000-mapping.dmp

Download
memory/4828-260-0x0000000000000000-mapping.dmp

Download
memory/4836-256-0x0000000000000000-mapping.dmp

Download
memory/4924-225-0x0000000000000000-mapping.dmp

Download
memory/5040-191-0x0000000000000000-mapping.dmp

Download
memory/5048-234-0x0000000000000000-mapping.dmp

Download
memory/5060-237-0x0000000000000000-mapping.dmp

Download
memory/5060-195-0x0000000000000000-mapping.dmp

Download
memory/5064-270-0x0000000000000000-mapping.dmp

Download
memory/5068-265-0x0000000000000000-mapping.dmp

Download
memory/5076-300-0x0000000000000000-mapping.dmp

Download
memory/5088-279-0x0000000000000000-mapping.dmp

Download
memory/5104-398-0x0000000000000000-mapping.dmp

Download
memory/5116-285-0x0000000000000000-mapping.dmp

Download
memory/5220-325-0x0000000000000000-mapping.dmp

Download
memory/5252-330-0x0000000000000000-mapping.dmp

Download
memory/5268-333-0x0000000000000000-mapping.dmp

Download
memory/5364-340-0x0000000000000000-mapping.dmp

Download
memory/5408-343-0x0000000000000000-mapping.dmp

Download
memory/5500-350-0x0000000000000000-mapping.dmp

Download
memory/5520-353-0x0000000000000000-mapping.dmp

Download
memory/5612-360-0x0000000000000000-mapping.dmp

Download
memory/5628-362-0x0000000000000000-mapping.dmp

Download
memory/5780-372-0x0000000000000000-mapping.dmp

Download
memory/5832-378-0x0000000000000000-mapping.dmp

Download
memory/5964-386-0x0000000000000000-mapping.dmp

Download
memory/6020-390-0x0000000000000000-mapping.dmp

Download
memory/6112-592-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads