hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbjdjY2x2QnBESHVCTGpBQ3VoODBOOUd5X3NGZ3xBQ3Jtc0ttc19uRDVKZ1NiM0hlWlJBSWRqS0hjaVhIaGVkWmp5dF8zTC13WDl5R0tqcWlFQy1pcWxEbWZ6TTJJSXFtY0V6MDlPdExIcUs4RzJmLU1qSV9hTHM3U2dRNlFQUkctYnhXbEJfTV9nUWdZdjkyWkJqUQ&q=https%3A%2F%2Fone-clickr[.]cc%2Fadobeaftereffects&v=JJZwHzx1Xlk

Analysis

max time kernel
968s
max time network
1016s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-01-2023 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbjdjY2x2QnBESHVCTGpBQ3VoODBOOUd5X3NGZ3xBQ3Jtc0ttc19uRDVKZ1NiM0hlWlJBSWRqS0hjaVhIaGVkWmp5dF8zTC13WDl5R0tqcWlFQy1pcWxEbWZ6TTJJSXFtY0V6MDlPdExIcUs4RzJmLU1qSV9hTHM3U2dRNlFQUkctYnhXbEJfTV9nUWdZdjkyWkJqUQ&q=https%3A%2F%2Fone-clickr.cc%2Fadobeaftereffects&v=JJZwHzx1Xlk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1212	Adobe.After.Effects.exe
1540	Adobe.After.Effects.tmp
1104	ChromeRecovery.exe

Loads dropped DLL 2 IoCs

pid	Process
1212	Adobe.After.Effects.exe
1540	Adobe.After.Effects.tmp

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir452_94014124\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir452_94014124\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir452_94014124\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir452_94014124\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir452_94014124\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir452_94014124\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir452_94014124\ChromeRecoveryCRX.crx	elevation_service.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
944	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
960	chrome.exe
1416	chrome.exe
580	chrome.exe
1540	chrome.exe
1636	chrome.exe
1540	Adobe.After.Effects.tmp
1540	Adobe.After.Effects.tmp

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	932	7zG.exe
Token: 35	932	7zG.exe
Token: SeSecurityPrivilege	932	7zG.exe
Token: SeSecurityPrivilege	932	7zG.exe
Token: 33	684	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	684	AUDIODG.EXE
Token: 33	684	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	684	AUDIODG.EXE
Token: SeRestorePrivilege	976	7zG.exe
Token: 35	976	7zG.exe
Token: SeSecurityPrivilege	976	7zG.exe
Token: SeSecurityPrivilege	976	7zG.exe
Token: SeRestorePrivilege	1900	7zG.exe
Token: 35	1900	7zG.exe
Token: SeSecurityPrivilege	1900	7zG.exe
Token: SeSecurityPrivilege	1900	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1000	1884	chrome.exe	27
PID 1884 wrote to memory of 1000	1884	chrome.exe	27
PID 1884 wrote to memory of 1000	1884	chrome.exe	27
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 1352	1884	chrome.exe	28
PID 1884 wrote to memory of 944	1884	chrome.exe	29
PID 1884 wrote to memory of 944	1884	chrome.exe	29
PID 1884 wrote to memory of 944	1884	chrome.exe	29
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30
PID 1884 wrote to memory of 1012	1884	chrome.exe	30

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbjdjY2x2QnBESHVCTGpBQ3VoODBOOUd5X3NGZ3xBQ3Jtc0ttc19uRDVKZ1NiM0hlWlJBSWRqS0hjaVhIaGVkWmp5dF8zTC13WDl5R0tqcWlFQy1pcWxEbWZ6TTJJSXFtY0V6MDlPdExIcUs4RzJmLU1qSV9hTHM3U2dRNlFQUkctYnhXbEJfTV9nUWdZdjkyWkJqUQ&q=https%3A%2F%2Fone-clickr.cc%2Fadobeaftereffects&v=JJZwHzx1Xlk
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ae4f50,0x7fef6ae4f60,0x7fef6ae4f70
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1148 /prefetch:2
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1848 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
  2⤵
  PID:276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3064 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3320 /prefetch:2
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=544 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3964 /prefetch:8
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3044 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4044 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 /prefetch:8
  2⤵
  PID:188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3252 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,7066606170263847002,2257023391428911686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4036 /prefetch:8
  2⤵
  PID:1176

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\" -spe -an -ai#7zMap19990:118:7zEvent23662
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x180
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\" -spe -an -ai#7zMap8497:156:7zEvent7637
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\" -spe -an -ai#7zMap29255:156:7zEvent7321
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\Adobe.After.Effects.exe
"C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\Adobe.After.Effects.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1212
- C:\Users\Admin\AppData\Local\Temp\is-OOLOP.tmp\Adobe.After.Effects.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OOLOP.tmp\Adobe.After.Effects.tmp" /SL5="$40224,1644573423,912384,C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\Adobe.After.Effects.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1540

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:452
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir452_94014124\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir452_94014124\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={211cd3d1-ae5c-4d8a-9c42-ed9a9822e93c} --system
  2⤵
  - Executes dropped EXE
  PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir452_94014124\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OOLOP.tmp\Adobe.After.Effects.tmp

Filesize
3.1MB

MD5
4ae702384ab748c432a6fe91a3ef5b79

SHA1
da04d2586b13d0bf4474f22c1d0cf178abc7fea2

SHA256
39d8aa41fd9e52227daa75bd1d5d426451ae78553440ca20f125c9d528d1be0b

SHA512
5d0421938963edd7c8e51ddb63582769e9469ea1eb5be9c85b19cad379411618cd5024279f023e82ab4984a4d26fa516028b5b7c117da118ccace51ceea95215

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234.zip

Filesize
1572.3MB

MD5
3408de826e5f912582dac001fdb8df61

SHA1
a4daab81fba4706a22c48d3720494e3bc2df13ef

SHA256
b8169b769b70a8066e9f977acb40e0fedbd77023947dbd0896d18622698d372b

SHA512
e1a6d2e7a5d95e972c99de6b49c49695913f7bdb9218557ad132d4e4b49c99b80283968cd7486c3b9812dda08e622a8156abafa526f71a78e939ade7f20d1f42

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects.7z

Filesize
1569.2MB

MD5
ee6431b7b069ec5447be63a84afdc3ab

SHA1
4f8a97894fbe006b884d4864701c46cd81c8d274

SHA256
9b19d8712a50f45886fc634914bf8a575728045c5807ec49c5961ec1b09b20ef

SHA512
7e6dcee0fbacc5ea563d3b36976c2403d9ee864d6c66c35741f96921308e6681b0346b72f11a3368424908dc6c5db9d9d7bf161bf7455c1fe9052b18051f309a

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\Adobe.After.Effects.exe

Filesize
1411.1MB

MD5
494e146adfa04946c92d862086514ad4

SHA1
7340bedfd2980e4a6760c4a4525faa927f01ca03

SHA256
97c7d1aa6279ce785c5a13d5289537e27e391b61bc2b57982d140ed95b848d23

SHA512
f06723600f3da2cab446f919b6dbe1df61199d3ba9c7ff0e5ae07ea5abc51612bf73c576c32e860fb0cc885c0ac0f5a86e3e98a581b98f9adafe2a660fcedf26

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\Adobe.After.Effects.exe

Filesize
1330.4MB

MD5
c341107a1e24b92ce13045eaf8e57d0d

SHA1
89263ca8fff0b1919d54e6faf4d5b14f795168d1

SHA256
45cd1e232029344a541508eb125dd4d76e7265825ea1aa23d8e189d31de4cb45

SHA512
7ccc9981a50b5c177da2483d264a372e8cddd891ec54b9b1e6cef0aa8e35b9ab20caf481ad66914e6aefd0735981ce6e090512f9fe04bcf220aae37fe8b70446

Download Submit
\Users\Admin\AppData\Local\Temp\is-92P39.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-OOLOP.tmp\Adobe.After.Effects.tmp

Filesize
3.1MB

MD5
4ae702384ab748c432a6fe91a3ef5b79

SHA1
da04d2586b13d0bf4474f22c1d0cf178abc7fea2

SHA256
39d8aa41fd9e52227daa75bd1d5d426451ae78553440ca20f125c9d528d1be0b

SHA512
5d0421938963edd7c8e51ddb63582769e9469ea1eb5be9c85b19cad379411618cd5024279f023e82ab4984a4d26fa516028b5b7c117da118ccace51ceea95215

Download Submit
memory/932-55-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1212-65-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1212-62-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1212-61-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1540-71-0x00000000746A1000-0x00000000746A3000-memory.dmp

Filesize
8KB

Download