f445d3662222075755bcadd7e8aea13830679f14cf290126bc024fa636a0982b

Analysis

max time kernel
63s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-06-2023 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mod Installer/Scarab.exe
Size

88.8MB
MD5

a093c0d9c2392def8a9f8524f337b68f
SHA1

69698aa863f12fae02d19fc033a52e4f904e900d
SHA256

2ba106e57bacbce734de86ac9deab2a763087ca38291b5298130736b1474236f
SHA512

7e3ae3120ae28ae3ce8691904d45017d561cd53459816fa94e6d4f0b9533b9d90d2c556e42cd2daf9faa43c46284e8193c9604855a73daa9c8441b70875483cd
SSDEEP

786432:X2OYL67WBlefpvpqjTFK7TkLy/kkPZSaXnRPGyY6+:XiL6qiRvsjTFK7TyjoPG3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 31 IoCs

Processes:

Scarab.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	Scarab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	Scarab.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Scarab.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Scarab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Scarab.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Scarab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	Scarab.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Scarab.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	Scarab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	Scarab.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Scarab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Scarab.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Scarab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Scarab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	Scarab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Scarab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Scarab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Scarab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Scarab.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Scarab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	Scarab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	Scarab.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Scarab.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	Scarab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	Scarab.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	Scarab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	Scarab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	Scarab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Scarab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Scarab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	Scarab.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Scarab.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Scarab.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Scarab.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1748 chrome.exe
1748 chrome.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1748	chrome.exe
Token: SeShutdownPrivilege	1748	chrome.exe
Token: SeShutdownPrivilege	1748	chrome.exe
Token: SeShutdownPrivilege	1748	chrome.exe
Token: SeShutdownPrivilege	1748	chrome.exe
Token: SeShutdownPrivilege	1748	chrome.exe
Token: SeShutdownPrivilege	1748	chrome.exe
Token: SeShutdownPrivilege	1748	chrome.exe
Token: SeShutdownPrivilege	1748	chrome.exe
Token: SeShutdownPrivilege	1748	chrome.exe
Token: SeShutdownPrivilege	1748	chrome.exe
Token: SeShutdownPrivilege	1748	chrome.exe
Token: SeShutdownPrivilege	1748	chrome.exe
Token: SeShutdownPrivilege	1748	chrome.exe
Token: SeShutdownPrivilege	1748	chrome.exe
Token: SeShutdownPrivilege	1748	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

chrome.exe

pid	process
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exe

pid	process
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe
1748	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Scarab.exe

pid process

1204 Scarab.exe

pid	process
1204	Scarab.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1748 wrote to memory of 1948	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1948	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1948	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 788	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1548	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1548	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1548	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1692	1748	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Mod Installer\Scarab.exe
"C:\Users\Admin\AppData\Local\Temp\Mod Installer\Scarab.exe"
1⤵
- Modifies registry class
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68b9758,0x7fef68b9768,0x7fef68b9778
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1336,i,2230493363646225958,12616357102798337821,131072 /prefetch:2
2⤵
PID:788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1336,i,2230493363646225958,12616357102798337821,131072 /prefetch:8
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1336,i,2230493363646225958,12616357102798337821,131072 /prefetch:8
2⤵
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2308 --field-trial-handle=1336,i,2230493363646225958,12616357102798337821,131072 /prefetch:1
2⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2364 --field-trial-handle=1336,i,2230493363646225958,12616357102798337821,131072 /prefetch:1
2⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1188 --field-trial-handle=1336,i,2230493363646225958,12616357102798337821,131072 /prefetch:2
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2260 --field-trial-handle=1336,i,2230493363646225958,12616357102798337821,131072 /prefetch:1
2⤵
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3912 --field-trial-handle=1336,i,2230493363646225958,12616357102798337821,131072 /prefetch:8
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4032 --field-trial-handle=1336,i,2230493363646225958,12616357102798337821,131072 /prefetch:8
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4192 --field-trial-handle=1336,i,2230493363646225958,12616357102798337821,131072 /prefetch:1
2⤵
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2300 --field-trial-handle=1336,i,2230493363646225958,12616357102798337821,131072 /prefetch:1
2⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2540 --field-trial-handle=1336,i,2230493363646225958,12616357102798337821,131072 /prefetch:1
2⤵
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4544 --field-trial-handle=1336,i,2230493363646225958,12616357102798337821,131072 /prefetch:1
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4744 --field-trial-handle=1336,i,2230493363646225958,12616357102798337821,131072 /prefetch:1
2⤵
PID:2624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5724 --field-trial-handle=1336,i,2230493363646225958,12616357102798337821,131072 /prefetch:1
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bb0bf1dfee4d5bcc0956b02414de463d

SHA1
bbbcaba97f1eab3b3199c3486425bd9ff9135dd1

SHA256
7a2d7360675d18a6d8548c8ca2c03a222e139a78825025afd6f377280bd64a95

SHA512
7111eb7d388b918dd6c32d463f063bd417927fe42bc467294add23b81cdca943f64ac2d5478bdfdf266afe99fbe50ca8d026514dedaa34e025c31e4cb44acb33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
d33b61c2fc1dd881d02d27617d77b65e

SHA1
5a3f6949857e1787a99c912577346ff6000fedd2

SHA256
983865fa820512337344a27d32709dbd2cbea157fe5b9ed8a7f29c8875013f59

SHA512
8ecfa11596f65b25ac4838aaa6aacb5468488fd1345c269b19c37c265d29adcb4b42da5555c0c1518a6b720868ecd4d2acd26872d601ab92693a433fae15592c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c
Filesize
1007KB

MD5
917b4162f10e8333d10c3da1073403b9

SHA1
7d1b6b618483a480803e1ada1f91c2afc42916e9

SHA256
9909740ab689daf612033811eb322f64630d6b97bba518c931b5e3596b50083d

SHA512
c0974e3afd999a4e4c4e04447e60f53320302b336e47383b324ae879700aae703ace847d3178cbc3234c2c31859f583ab8440e8354e18a5b989d77d35320439c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f
Filesize
1024KB

MD5
e7b087f2f20040ed39a2aa6070420765

SHA1
091d2c0241fd484e82ca9ad747a8356d7581ce1c

SHA256
9661a6a205f980b09164060ec420ecb304ada221123f4601261a78b41401a51f

SHA512
e4a00c86fa3877bc3334b2aed5689b25a509483e7606b15be17447f5567680350e4b53c41988e64b30eead66bd8fbad97a5850447a09f0ff24084d1086e93332

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014
Filesize
1024KB

MD5
d3187b0968164d17b4bad96d9c03846e

SHA1
109a89f6d8e31fb5f67b51f35554ff0e12091359

SHA256
352aa4d2e93916b6a0a2eeccd3eb73df98ded121c0ace15a4d9b8819375acfb8

SHA512
faf88e91d10ddfa60375f5e8cead150512afe091ecefb019d70c0c8499ca10aeb327dfc08a779937dcb114d4338a57a0bd6ac5aae905f14bac97da7ae65514c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\000002.dbtmp
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\CURRENT~RF6d5fcd.TMP
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
363B

MD5
8aa2561bfd98635d804c0c4fe17607ad

SHA1
d94f70a00fefc06437fdeea116cad8f2683f2f72

SHA256
ee30f3f6350c793644aa2ba82514de225dd6ecc017fdaaaf988038b686d8fb07

SHA512
39a25ff949be8cfb102606348fca3baba48f44d2aeeeef4c82267149a057906fa26c0d83c50de6f8e70644fec40b13fde44197f291c1815a40e74fc2a98e17ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
283dadfb224f3d96da3dbcd1db6e90ff

SHA1
22a05efa14d10bc0bef5541dafd8f71a8b8b929a

SHA256
98c703ec4808b7fc939f7272fca0588efed0eef7aadaa658633fcb0e2a730ccd

SHA512
63f67272947ceb4681f5435ba49a3421cd2837f23b3c662acfcc8c5f0d1f91066ed4d30c4df2a413ed9add6a32bb14e43453ead2b0d57c746d486e096fff55f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
b3da10586243b5fa01a3ae2e65baddb7

SHA1
924b9fa79b03e8363dc4734a860131ecd3fd320a

SHA256
c261ec24655a098e401b9afaec56583997a195ffc8f7ae3e07bfe67be0619ab1

SHA512
4bee4285c58c67d2917856e9ea66d3b46bb2a04e1b992b45b5fb8d8afd475d19b0cae7cc50e61502d051f4163f6d576464f98fabe24a83efb32b701b741f12a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
98f9f859febeda89c5450f03ad7ed908

SHA1
01b467dfee9c33ff2a6820a127e7fd774db21d10

SHA256
efd147f840c19c664c162ddb10e4fd9b95595c2f5fd0f53aa34ef9b913ef8c45

SHA512
7f897045b94f878c017afda9c70d424724e401c9522d0db32022ee642209df56c497f93fd00337f1fba7da040d97aeb9ca69f3eb6e73f07c502f96e1a0a5ffbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
0c96a0dca3fe8036215fb4fdba95302f

SHA1
7aef45895facae34463d8499c106e2549fb456c6

SHA256
3a417203b21866c2bb965b45a0b5e442086eeb32d0fe3d001570c964cf6cba82

SHA512
f71ae889b26d67494817295bc8d2f03694168c1535e2df1888c38d4aa9c1b64ae8c5508536f9cc185aaf7475f69b0ad3dd3453e72a4401de5248794ab079d16c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000004.dbtmp
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
159KB

MD5
004169acad5bf1fe61f85825802d6617

SHA1
e87c5d4e125e2116487aacc1690641cb3fe16ff3

SHA256
789ce25ee1ab041d066c8cdb1e6410000f6b84c11ce7588beacbe838ad321c31

SHA512
141c90b6e86beaa6126705397d71e6c632b930c2cd6df9945be84737b0474e640984ed0ee17e8bfcc29f6d6e97d477d2c9d23c249a323edc496317f6339a8527

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4453.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4573.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
\??\pipe\crashpad_1748_BUKDLXJMWQTTEESX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1204-84-0x0000000022F90000-0x0000000022FCE000-memory.dmp

Filesize
248KB

Download
memory/1204-90-0x0000000022EC0000-0x0000000022EC5000-memory.dmp

Filesize
20KB

Download
memory/1204-117-0x0000000024EB0000-0x0000000024F65000-memory.dmp

Filesize
724KB

Download
memory/1204-181-0x0000000029490000-0x0000000029491000-memory.dmp

Filesize
4KB

Download
memory/1204-111-0x0000000023DA0000-0x0000000023E42000-memory.dmp

Filesize
648KB

Download
memory/1204-108-0x0000000023C80000-0x0000000023D94000-memory.dmp

Filesize
1.1MB

Download
memory/1204-105-0x00000000236A0000-0x00000000236A9000-memory.dmp

Filesize
36KB

Download
memory/1204-102-0x0000000022F80000-0x0000000022F87000-memory.dmp

Filesize
28KB

Download
memory/1204-99-0x0000000023610000-0x000000002363A000-memory.dmp

Filesize
168KB

Download
memory/1204-96-0x0000000024090000-0x00000000248AC000-memory.dmp

Filesize
8.1MB

Download
memory/1204-93-0x0000000023740000-0x00000000237A3000-memory.dmp

Filesize
396KB

Download
memory/1204-114-0x0000000023860000-0x00000000238A1000-memory.dmp

Filesize
260KB

Download
memory/1204-87-0x00000000236B0000-0x0000000023732000-memory.dmp

Filesize
520KB

Download
memory/1204-54-0x0000000180000000-0x0000000180A23000-memory.dmp

Filesize
10.1MB

Download
memory/1204-81-0x0000000022F20000-0x0000000022F33000-memory.dmp

Filesize
76KB

Download
memory/1204-78-0x0000000022EE0000-0x0000000022F1C000-memory.dmp

Filesize
240KB

Download
memory/1204-75-0x0000000022BA0000-0x0000000022BA8000-memory.dmp

Filesize
32KB

Download
memory/1204-72-0x0000000022C00000-0x0000000022C21000-memory.dmp

Filesize
132KB

Download
memory/1204-69-0x0000000001C80000-0x0000000001C8E000-memory.dmp

Filesize
56KB

Download
memory/1204-66-0x0000000022DD0000-0x0000000022E10000-memory.dmp

Filesize
256KB

Download
memory/1204-63-0x0000000022BB0000-0x0000000022BC2000-memory.dmp

Filesize
72KB

Download
memory/1204-60-0x0000000001E60000-0x0000000001E76000-memory.dmp

Filesize
88KB

Download
memory/1204-57-0x0000000001C50000-0x0000000001C5D000-memory.dmp

Filesize
52KB

Download