a5e419804bfa9843c6ceaa7f27e4e6271d74a9e8937e76da48e99bf2beaae59a

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2022, 14:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ScratchLinkSetup.msi
Size

2.4MB
MD5

bef956e8404c21d33f2a2cbf0c09eabb
SHA1

c53f8c24baa0a7ae8625f0623d7d078c820f827b
SHA256

1bfd7723085419292bc9b36bed51c714c6b229a3eaa3aae79019ca3f5d38f980
SHA512

3bea393b3eb2fb5471295a65dcd00ca98bd85f41c3f4d732fca49bcede6a26352233c823edc855bb137c2cce7dde51ee009667bb5a90d5dd20c29cb8bb0c3cb3
SSDEEP

24576:NEm8LgaQDNtgwEn/UPU9HlD7ahOE2Z34KZyEgBnlHynlHzenlH:isDDgwi/BEnUIREgBdydyd

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	4600	msiexec.exe
6	4600	msiexec.exe
8	4600	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
6092	ChromeRecovery.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	chrome.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6040_1899747811\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6040_1899747811\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6040_1899747811\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6040_1899747811\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files (x86)\Scratch Link\ScratchLink.pdb	msiexec.exe
File created	C:\Program Files (x86)\Scratch Link\System.Runtime.WindowsRuntime.dll	msiexec.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6040_1899747811\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files (x86)\Scratch Link\ScratchLink.exe.config	msiexec.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6040_1899747811\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6040_1899747811\manifest.json	elevation_service.exe
File created	C:\Program Files (x86)\Scratch Link\Fleck.dll	msiexec.exe
File created	C:\Program Files (x86)\Scratch Link\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\Scratch Link\ScratchLink.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C50C4D9D-ECC5-4BD4-8525-CC835BF3EA55}	msiexec.exe
File created	C:\Windows\Installer\{C50C4D9D-ECC5-4BD4-8525-CC835BF3EA55}\ScratchLink.exe	msiexec.exe
File created	C:\Windows\Installer\e5725e9.msi	msiexec.exe
File created	C:\Windows\Installer\e5725e7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5725e7.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C50C4D9D-ECC5-4BD4-8525-CC835BF3EA55}\ScratchLink.exe	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\PackageCode = "6AFAAE234B5E1A5469A5F7407858D168"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\Version = "16973890"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D9D4C05C5CCE4DB45852CC38B53FAE55	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\ProductName = "Scratch Link"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\SourceList\PackageName = "ScratchLinkSetup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0C3DB6A066B57E54BA347B82FC0446D4\D9D4C05C5CCE4DB45852CC38B53FAE55	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D9D4C05C5CCE4DB45852CC38B53FAE55\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0C3DB6A066B57E54BA347B82FC0446D4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D9D4C05C5CCE4DB45852CC38B53FAE55\Assignment = "1"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4724	chrome.exe
4724	chrome.exe
2992	chrome.exe
2992	chrome.exe
4356	chrome.exe
4356	chrome.exe
4144	chrome.exe
4144	chrome.exe
1260	msiexec.exe
1260	msiexec.exe
5712	chrome.exe
5712	chrome.exe
5772	chrome.exe
5772	chrome.exe
5856	chrome.exe
5856	chrome.exe
6072	chrome.exe
6072	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4600	msiexec.exe
Token: SeSecurityPrivilege	1260	msiexec.exe
Token: SeCreateTokenPrivilege	4600	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4600	msiexec.exe
Token: SeLockMemoryPrivilege	4600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4600	msiexec.exe
Token: SeMachineAccountPrivilege	4600	msiexec.exe
Token: SeTcbPrivilege	4600	msiexec.exe
Token: SeSecurityPrivilege	4600	msiexec.exe
Token: SeTakeOwnershipPrivilege	4600	msiexec.exe
Token: SeLoadDriverPrivilege	4600	msiexec.exe
Token: SeSystemProfilePrivilege	4600	msiexec.exe
Token: SeSystemtimePrivilege	4600	msiexec.exe
Token: SeProfSingleProcessPrivilege	4600	msiexec.exe
Token: SeIncBasePriorityPrivilege	4600	msiexec.exe
Token: SeCreatePagefilePrivilege	4600	msiexec.exe
Token: SeCreatePermanentPrivilege	4600	msiexec.exe
Token: SeBackupPrivilege	4600	msiexec.exe
Token: SeRestorePrivilege	4600	msiexec.exe
Token: SeShutdownPrivilege	4600	msiexec.exe
Token: SeDebugPrivilege	4600	msiexec.exe
Token: SeAuditPrivilege	4600	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4600	msiexec.exe
Token: SeChangeNotifyPrivilege	4600	msiexec.exe
Token: SeRemoteShutdownPrivilege	4600	msiexec.exe
Token: SeUndockPrivilege	4600	msiexec.exe
Token: SeSyncAgentPrivilege	4600	msiexec.exe
Token: SeEnableDelegationPrivilege	4600	msiexec.exe
Token: SeManageVolumePrivilege	4600	msiexec.exe
Token: SeImpersonatePrivilege	4600	msiexec.exe
Token: SeCreateGlobalPrivilege	4600	msiexec.exe
Token: SeBackupPrivilege	432	vssvc.exe
Token: SeRestorePrivilege	432	vssvc.exe
Token: SeAuditPrivilege	432	vssvc.exe
Token: SeBackupPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4600	msiexec.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 1288	2992	chrome.exe	92
PID 2992 wrote to memory of 1288	2992	chrome.exe	92
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4324	2992	chrome.exe	95
PID 2992 wrote to memory of 4724	2992	chrome.exe	96
PID 2992 wrote to memory of 4724	2992	chrome.exe	96
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97
PID 2992 wrote to memory of 1868	2992	chrome.exe	97

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ScratchLinkSetup.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4600

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffbd4f54f50,0x7ffbd4f54f60,0x7ffbd4f54f70
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:2
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4564 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:5844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 /prefetch:8
  2⤵
  PID:5948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4420 /prefetch:8
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,1421180258023334070,509699808294188306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3956 /prefetch:8
  2⤵
  PID:5028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2804

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:6040
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6040_1899747811\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6040_1899747811\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={ae9344ad-0157-48df-a051-9442b8b56e58} --system
  2⤵
  - Executes dropped EXE
  PID:6092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6040_1899747811\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
a42d6b7f35dc106fe04143b45822121a

SHA1
b63a1fb1c13742c87490842dded1cf2fad9d6f42

SHA256
c7dc52393ab5f724e38ebab5ed8f3906a4958596676fe4f78494a4aec9a86562

SHA512
1551a14c8b672920f70d16a16a07a008990842bfe783f7c02cfadd4f03414ef2ac2b0b5d8aff613c009aed6fdf588f8143463aa35cf6e4d4c4a9fa4a973b4310

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_B710960B79603056C6F5765D596C5695

Filesize
471B

MD5
31e7edec7245f21144f46ac0370b81d4

SHA1
2364406c1d05f9ce671e35ef6ba1348d2148fee9

SHA256
4efe07abd07c8a3fb23bde186d69750c4e4437d6f970b4c111fc4e328d9a184b

SHA512
099f3a5b8b7b65c21f439a2927146dab5b9b606519a26085d7ca2e0773ff96e2d189c0b1a294510da48d9c08b1cfaaca73a838fa48ed3c8134a03e216e82bb31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
51a7ebcc95e9363ccb42729d2ec10e41

SHA1
ffc52397591240b4fb72c77f0bc6f151dfff8cbb

SHA256
5ae9dbba03fdf7279c6a2922fbc89a0e45dfe71fc6bc407154d83cddb6505bfb

SHA512
16b5ea4d62abdbb96decc5562dc41f5e2fdc96ca011242dd44e21db5883b54545ae2a47de66f9e46bed6b7f5ffc82b82f5f96e648281497e1f1c47f05ee8a6fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_B710960B79603056C6F5765D596C5695

Filesize
430B

MD5
c98f0106cc65f9b0c5f02b10029f76c2

SHA1
d96846fa08e8e1648160ba7b4b77ad94431b69eb

SHA256
73f7c5346b130bf255d55fac2135cb0eb397cd6ef7c5cb48a4aaf9911709cc73

SHA512
d4c5d22cdf694538ce7a378dabbea4f6753b7941b44984330ed2be0063482f946592b6c16522494d1f9ab47df763380e0bf8948fb2cdfb5a7bf873013701e991

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
ef66e8eab4ec9afdc9a0d10c6065eee3

SHA1
2f518768cd266b3cf0f15437aa0d8139f88a1391

SHA256
df9877f009b9fa68d6b0cdf1013ab2224a0cdf96c19a383952460a1760a8a418

SHA512
83f558c7e6179a7eae30803de42c9b41b7925a410d5c73ac774b3c0ac0f87d4650081dd036f6a6f86406ed2ac595ff2b3ca764fc15446a53a0d5c5d5ae4a3b58

Download Submit
\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1c23c363-97b8-40c3-97a4-b993c398faf1}_OnDiskSnapshotProp

Filesize
5KB

MD5
578168d0abea6335e6b541ce801a74e8

SHA1
122cbaceb224ef8268d34efb497b4d63c330faa7

SHA256
2ef80cac3129814612a4cf50607fd9b7736c800986ceef99bf47f0bf6da7aea3

SHA512
0585d1dcb5d216928a5cf53cf2e164de850fa512c79c03e56e606621a7ac500617cd0db51426814680877539a851593ac54e6ce40669a60d2596aedb0003a853

Download Submit