hxxps://www[.]mediafire[.]com/file/dxvk1ppt4zmmpol/Fabfilter-20220224T164548Z-001[.]zip/file

Analysis

max time kernel
182s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2023 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/dxvk1ppt4zmmpol/Fabfilter-20220224T164548Z-001.zip/file

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

FabFilter Total Bundle v2020.12 CE.exeFabFilter Total Bundle v2020.12 CE.tmp

pid process

2996 FabFilter Total Bundle v2020.12 CE.exe
3320 FabFilter Total Bundle v2020.12 CE.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2996	FabFilter Total Bundle v2020.12 CE.exe
3320	FabFilter Total Bundle v2020.12 CE.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

FabFilter Total Bundle v2020.12 CE.tmp

description	ioc	process
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\FabFilter\desktop.ini	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\Common Files\VST3\FabFilter\desktop.ini	FabFilter Total Bundle v2020.12 CE.tmp

Drops file in Program Files directory 64 IoCs

Processes:

FabFilter Total Bundle v2020.12 CE.tmp

description	ioc	process
File created	C:\Program Files\Steinberg\VSTPlugins\FabFilter\is-R1VPN.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Pro-R\is-B7UQI.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Saturn\is-5NISF.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Twin 2\is-LUR8T.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\FabFilter\FabFilter Pro-C 2.dll	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\FabFilter\is-L8OMI.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Pro-Q\is-PF3SR.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Saturn 2\is-GG574.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Timeless 2\is-N9GGT.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Common Files\VST3\FabFilter\is-2G5KQ.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\One\is-G4BC0.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Pro-MB\is-OM7RM.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Saturn 2\is-1D5FO.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\FabFilter\Twin 2\FabFilter Twin 2.chm	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Micro\is-4DFDT.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Pro-L\is-CTUBS.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Pro-Q 3\is-S232U.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\FabFilter\FabFilter One.dll	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\FabFilter\Simplon\FabFilter Simplon.chm	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\FabFilter\is-HI54I.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Twin 2\is-RB7R8.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\FabFilter\FabFilter Timeless 2.dll	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\Common Files\VST3\FabFilter\PlugIn.ico	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Pro-MB\is-6UCDM.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Volcano 2\is-D1856.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\FabFilter\Pro-Q 3\FabFilter Pro-Q 3.chm	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Pro-L 2\is-86BOU.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\FabFilter\One\FabFilter One.chm	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\FabFilter\is-2ANBH.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Common Files\VST3\FabFilter\is-T7MNS.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Common Files\VST3\FabFilter\is-42ABB.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\FabFilter\FabFilter Pro-G (Mono).dll	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\FabFilter\FabFilter Timeless 2 (SC).dll	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\FabFilter\FabFilter Saturn 2.dll	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\FabFilter\desktop.ini	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\FabFilter\is-4Q1RE.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Pro-Q 3\is-NTECA.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\FabFilter\FabFilter Pro-DS.dll	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\FabFilter\FabFilter Pro-G.dll	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\FabFilter\is-G6BRR.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Common Files\VST3\FabFilter\is-VRFHI.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Common Files\VST3\FabFilter\is-SI5NR.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\FabFilter\is-1KNOA.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Pro-DS\is-TCKHT.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\FabFilter\is-H0MLP.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Pro-DS\is-LT4K5.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\is-0L9LD.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Pro-L\is-9PFRJ.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\FabFilter\is-QNFJE.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\FabFilter\is-FQ8I9.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Pro-C 2\is-P4PGL.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\FabFilter\FabFilter Pro-R (Mono).dll	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\FabFilter\Saturn\FabFilter Saturn.chm	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\FabFilter\is-CGEC6.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\FabFilter\is-2KAMI.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Common Files\VST3\FabFilter\is-7U1RK.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\One\is-313IO.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\FabFilter\FabFilter Pro-L 2.dll	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\FabFilter\is-M661N.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\Common Files\VST3\FabFilter\desktop.ini	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\FabFilter\Pro-MB\FabFilter Pro-MB.chm	FabFilter Total Bundle v2020.12 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\FabFilter	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\FabFilter\is-0VKLT.tmp	FabFilter Total Bundle v2020.12 CE.tmp
File created	C:\Program Files\FabFilter\Simplon\is-E40K7.tmp	FabFilter Total Bundle v2020.12 CE.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msinfo32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msinfo32.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeFabFilter Total Bundle v2020.12 CE.tmp

pid	process
4384	chrome.exe
4384	chrome.exe
4984	chrome.exe
4984	chrome.exe
5080	chrome.exe
5080	chrome.exe
5344	chrome.exe
5344	chrome.exe
5992	chrome.exe
5992	chrome.exe
6040	chrome.exe
6040	chrome.exe
5212	chrome.exe
5212	chrome.exe
5392	chrome.exe
5392	chrome.exe
5320	chrome.exe
5320	chrome.exe
5320	chrome.exe
5320	chrome.exe
3320	FabFilter Total Bundle v2020.12 CE.tmp
3320	FabFilter Total Bundle v2020.12 CE.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msinfo32.exe

pid process

4828 msinfo32.exe

pid	process
4828	msinfo32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

Processes:

chrome.exe

pid	process
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7zG.exe7zG.exe

description	pid	process
Token: SeRestorePrivilege	5856	7zG.exe
Token: 35	5856	7zG.exe
Token: SeSecurityPrivilege	5856	7zG.exe
Token: SeSecurityPrivilege	5856	7zG.exe
Token: SeRestorePrivilege	5916	7zG.exe
Token: 35	5916	7zG.exe
Token: SeSecurityPrivilege	5916	7zG.exe
Token: SeSecurityPrivilege	5916	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe
4984	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

1528 OpenWith.exe

pid	process
1528	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4984 wrote to memory of 1580	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 1580	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2448	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 4384	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 4384	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe
PID 4984 wrote to memory of 2600	4984	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.mediafire.com/file/dxvk1ppt4zmmpol/Fabfilter-20220224T164548Z-001.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe36b64f50,0x7ffe36b64f60,0x7ffe36b64f70
2⤵
PID:1580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1712 /prefetch:2
2⤵
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:8
2⤵
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
2⤵
PID:3716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1
2⤵
PID:1260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:8
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
2⤵
PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
2⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
2⤵
PID:608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
2⤵
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
2⤵
PID:4060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
2⤵
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
2⤵
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
2⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7444 /prefetch:1
2⤵
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7080 /prefetch:8
2⤵
PID:5184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7632 /prefetch:8
2⤵
PID:5192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 /prefetch:8
2⤵
PID:5304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6312 /prefetch:8
2⤵
PID:5336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7708 /prefetch:8
2⤵
PID:5412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6332 /prefetch:8
2⤵
PID:5448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7388 /prefetch:1
2⤵
PID:5480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1560 /prefetch:1
2⤵
PID:5708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
2⤵
PID:5716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
2⤵
PID:5724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
2⤵
PID:5824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
2⤵
PID:5832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7340 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7592 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
2⤵
PID:6092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2704 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3516 /prefetch:8
2⤵
PID:5216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2800 /prefetch:1
2⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8056 /prefetch:1
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:1
2⤵
PID:760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2556 /prefetch:1
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7400 /prefetch:1
2⤵
PID:5352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
2⤵
PID:5360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=812 /prefetch:1
2⤵
PID:5356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
2⤵
PID:5780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8356 /prefetch:8
2⤵
PID:5744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8300 /prefetch:8
2⤵
PID:5724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8308 /prefetch:8
2⤵
PID:6060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
2⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8600 /prefetch:1
2⤵
PID:260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4756 /prefetch:8
2⤵
PID:5236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=8420 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8468 /prefetch:8
2⤵
PID:5440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,10904670284570341382,6548017716774472803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8388 /prefetch:8
2⤵
PID:5756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3224

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Fabfilter-20220224T164548Z-001\" -spe -an -ai#7zMap30860:122:7zEvent12702
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5856

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Fabfilter-20220224T164548Z-001\Fabfilter\FabFilter - Total Bundle v2020.12 SAL.VST.VST3.AAX.AU x86 x64 [WIN-OSX] [11.12.2020]\" -spe -an -ai#7zMap8133:310:7zEvent11161
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Users\Admin\Downloads\Fabfilter-20220224T164548Z-001\Fabfilter\FabFilter - Total Bundle v2020.12 SAL.VST.VST3.AAX.AU x86 x64 [WIN-OSX] [11.12.2020]\win\FabFilter Total Bundle v2020.12 CE.exe
"C:\Users\Admin\Downloads\Fabfilter-20220224T164548Z-001\Fabfilter\FabFilter - Total Bundle v2020.12 SAL.VST.VST3.AAX.AU x86 x64 [WIN-OSX] [11.12.2020]\win\FabFilter Total Bundle v2020.12 CE.exe"
1⤵
- Executes dropped EXE
PID:2996

C:\Users\Admin\AppData\Local\Temp\is-N9UER.tmp\FabFilter Total Bundle v2020.12 CE.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N9UER.tmp\FabFilter Total Bundle v2020.12 CE.tmp" /SL5="$8022C,40670732,966144,C:\Users\Admin\Downloads\Fabfilter-20220224T164548Z-001\Fabfilter\FabFilter - Total Bundle v2020.12 SAL.VST.VST3.AAX.AU x86 x64 [WIN-OSX] [11.12.2020]\win\FabFilter Total Bundle v2020.12 CE.exe"
2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3320

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Downloads\Fabfilter-20220224T164548Z-001\Fabfilter\FabFilter - Total Bundle v2020.12 SAL.VST.VST3.AAX.AU x86 x64 [WIN-OSX] [11.12.2020]\win\VR.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:4828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N9UER.tmp\FabFilter Total Bundle v2020.12 CE.tmp
Filesize
3.1MB

MD5
0de2a9d4fd8a2f7d52e4aeceeb2c6a3b

SHA1
383f064662ac01ac4abf267d3edfba5f113f3b0a

SHA256
a8d012403b028225f3ca115a141f89521a232b113617f6ee759853d95cb0e966

SHA512
17d4b54cf116ce90475f5d32e125cb6793814be40f1ae642f5d0b31a221c93e7589503ce7facb0bbdd9151127b2e54c8aae2ff9e7b01e51eca707d20196b3f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N9UER.tmp\FabFilter Total Bundle v2020.12 CE.tmp
Filesize
3.1MB

MD5
0de2a9d4fd8a2f7d52e4aeceeb2c6a3b

SHA1
383f064662ac01ac4abf267d3edfba5f113f3b0a

SHA256
a8d012403b028225f3ca115a141f89521a232b113617f6ee759853d95cb0e966

SHA512
17d4b54cf116ce90475f5d32e125cb6793814be40f1ae642f5d0b31a221c93e7589503ce7facb0bbdd9151127b2e54c8aae2ff9e7b01e51eca707d20196b3f7f

Download Submit
C:\Users\Admin\Downloads\Fabfilter-20220224T164548Z-001.zip
Filesize
39.1MB

MD5
27e50d764abb68b9172560909d67a8a2

SHA1
d0170da29a26d9cdd93d288f6cb6b5276eb5a1b6

SHA256
9c93212404a9e5062a2d6afab31273bf5b961e901a86e6ee1d678a46634c030d

SHA512
6be5c891cb893bf2fd1aabd27ea1ce98f13b0942c58cf40987a39d4fd3d9ab13527f62af6d86abd2928b9f934a2b3162d5b9df57545fd9da8b8ee81270a43e20

Download Submit
C:\Users\Admin\Downloads\Fabfilter-20220224T164548Z-001\Fabfilter\FabFilter - Total Bundle v2020.12 SAL.VST.VST3.AAX.AU x86 x64 [WIN-OSX] [11.12.2020].7z
Filesize
39.1MB

MD5
c9db579af648382b5fc492dfeb14bd11

SHA1
662aad11d42309a694b4794ee807f4cc30779293

SHA256
0212313ef0c574dc21b725fad2dc4fb4a8c8dc4bf92d164a04cbd5207bc83bd9

SHA512
8c3705778a7f473fb2770da29afddb029081cda1a3b3604fa2ea79264c6f9431af473fbe94ba683eb7435f3650a8a4a737f7d108e230f97d08e86fcfe7791def

Download Submit
C:\Users\Admin\Downloads\Fabfilter-20220224T164548Z-001\Fabfilter\FabFilter - Total Bundle v2020.12 SAL.VST.VST3.AAX.AU x86 x64 [WIN-OSX] [11.12.2020]\win\FabFilter Total Bundle v2020.12 CE.exe
Filesize
39.8MB

MD5
dd8b6f21030112017ba28b582e872666

SHA1
1b76cc7bfb66ed17124a48aa70a0240aeec47a73

SHA256
1bffdd3afaa6e7602df5556b8e1f77aa17163144cf58467c7fe7f3d7db46408d

SHA512
b83d439f931acbb042a62f9c63f3cb6bc8629d554c8b4b0d0650efd201770e3b4bc3fe60268300e9552ac23f8fd7d5cb5b41d483d3f9aa04926409e6c57f775a

Download Submit
C:\Users\Admin\Downloads\Fabfilter-20220224T164548Z-001\Fabfilter\FabFilter - Total Bundle v2020.12 SAL.VST.VST3.AAX.AU x86 x64 [WIN-OSX] [11.12.2020]\win\FabFilter Total Bundle v2020.12 CE.exe
Filesize
39.8MB

MD5
dd8b6f21030112017ba28b582e872666

SHA1
1b76cc7bfb66ed17124a48aa70a0240aeec47a73

SHA256
1bffdd3afaa6e7602df5556b8e1f77aa17163144cf58467c7fe7f3d7db46408d

SHA512
b83d439f931acbb042a62f9c63f3cb6bc8629d554c8b4b0d0650efd201770e3b4bc3fe60268300e9552ac23f8fd7d5cb5b41d483d3f9aa04926409e6c57f775a

Download Submit
C:\Users\Admin\Downloads\Fabfilter-20220224T164548Z-001\Fabfilter\FabFilter - Total Bundle v2020.12 SAL.VST.VST3.AAX.AU x86 x64 [WIN-OSX] [11.12.2020]\win\VR.nfo
Filesize
545B

MD5
56a3e6c97200c4bde72b77f617557a4f

SHA1
c96de2e25f91b6a16015d5cdf92d930169f59c8b

SHA256
57497b7335aafcf94f628c18a6f6ba40c0838c00cb61b581549f9032e591a13c

SHA512
e295ee3ae807f022e3889cf3929d051c5db0c6b4618c337fb3793f7c7534abf12b7c14087aadf5ea0620ea9cc2263af5021d54c904dd91e217099af01cb09780

Download Submit
\??\pipe\crashpad_4984_QJLXLMMBLNHQINMT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2996-138-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2996-143-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2996-144-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2996-145-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3320-140-0x0000000000000000-mapping.dmp

Download