hxxps://bazaar[.]abuse[.]ch/download/3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab/

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/download/3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4952	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
4060	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
3708	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
File opened (read-only)	\??\F:	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
File opened (read-only)	\??\F:	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2804	chrome.exe
2804	chrome.exe
4952	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
4952	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
4952	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
4952	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
4952	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
4952	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
4952	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
4952	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
2276	chrome.exe
2276	chrome.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
4060	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
4060	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
3708	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
3708	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
4060	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
4060	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
4060	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
4060	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
4060	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
4060	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
3708	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
3708	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
3708	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
3708	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
3708	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
3708	3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
4108	7zG.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe
1272	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 3656	2804	chrome.exe	79
PID 2804 wrote to memory of 3656	2804	chrome.exe	79
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 3040	2804	chrome.exe	81
PID 2804 wrote to memory of 2336	2804	chrome.exe	82
PID 2804 wrote to memory of 2336	2804	chrome.exe	82
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83
PID 2804 wrote to memory of 3080	2804	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://bazaar.abuse.ch/download/3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa2f089758,0x7ffa2f089768,0x7ffa2f089778
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1840,i,14487216244944256618,2934809167361703868,131072 /prefetch:2
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1840,i,14487216244944256618,2934809167361703868,131072 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1840,i,14487216244944256618,2934809167361703868,131072 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1840,i,14487216244944256618,2934809167361703868,131072 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2880 --field-trial-handle=1840,i,14487216244944256618,2934809167361703868,131072 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4880 --field-trial-handle=1840,i,14487216244944256618,2934809167361703868,131072 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3924 --field-trial-handle=1840,i,14487216244944256618,2934809167361703868,131072 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=1840,i,14487216244944256618,2934809167361703868,131072 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 --field-trial-handle=1840,i,14487216244944256618,2934809167361703868,131072 /prefetch:8
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 --field-trial-handle=1840,i,14487216244944256618,2934809167361703868,131072 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3224 --field-trial-handle=1840,i,14487216244944256618,2934809167361703868,131072 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1840,i,14487216244944256618,2934809167361703868,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2276

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1148

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab\" -spe -an -ai#7zMap7235:190:7zEvent18584
1⤵
- Suspicious use of FindShellTrayWindow
PID:4108

C:\Users\Admin\Downloads\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
"C:\Users\Admin\Downloads\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1272

C:\Users\Admin\Downloads\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
"C:\Users\Admin\Downloads\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:4060

C:\Users\Admin\Downloads\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe
"C:\Users\Admin\Downloads\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:3708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
171KB

MD5
7a88e1edbba1ad7bd345eb14f1377a59

SHA1
b299cf2eacc2d17d1f2fbda9391079b6f05fb022

SHA256
3f6aa29738172f431b8e2af2e39cba0c2f91583d7bc23f988c7b7b35975bef2c

SHA512
48870540a5e7aedf4513610e23dad5d37ff48dde92909345771f7235d4526893e65d11915b46191e62dbe6e9bed4626215703fc90932bdebed356568c1557f95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
d394b5b5f092a260ee25d8761760ddec

SHA1
4dd56699a8800fbf0589d1ec02c41cb85464a16d

SHA256
5bda87b7170db8c0c88ff1037a02bb8c52b16c975d13141dcead2b7e3a627d91

SHA512
def823a978ad028b1d0af88ce7d4465595835857ae3647c3cd4292d1754a18b808881e2c0b05a131558e992d97d263695480ea5af43b990108d5ccfe69860ee7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a63afd071f3a11509932d374a99e9c1f

SHA1
f1379cfa8e170c5c75bf143ce59bef6c7d4f31a7

SHA256
2041d37ed0b6756a22eaaf5873200e530b059fae6130965ee3b996ada853dd0a

SHA512
c0b4de57ec2b09ebd122983ca5c812a8da8510bead1259ffa851785fc6eb4f6f30b43b14d951097567b95c3da848537823e987ec373cace00fbd0f6d254c2ded

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
4089ab86e1e0fda8b98c5cca86abb1ce

SHA1
0b4f3e5fb709435713aec77e3611650e088d3b0c

SHA256
e749cc70477bf9cccd380e58a819a278e41cf7a6c7dbeadbbd56c6006a24006d

SHA512
8017e0c5a6ccb57e7040ce3938d1faa75d28401029520798519f2d8cf7b77330a4c8e7358ace6b50eea730589f033f6d98ff307cc127de7763cea8127463222d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
4956b73dcc245fc0fd740d7db6383bc2

SHA1
cbdf53a1811d7d2fc62ecba3fae13b5f36a5ae5f

SHA256
1154324e7bb71df7965ec4f03dd919d8ec67ae50bee223076f1af6fc75c482c5

SHA512
c47bf37888082d13fb57689d8cb5108c4afeb8dcd8a8a595e7027f5ef39329f6da14d54b2a60ebf9a67c00bbf9e015bcdb2f8aab1feb125ebae39a3c48d41caf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f880c1004b0e075d4f653c1a8b13919e

SHA1
b3469d54d5bcac5847e8ca2f3cffb65aeb22429d

SHA256
0b68f37f7091ae0dd9e6cf1cbbde50f8268946f1850f214fc3a0754079c003db

SHA512
d23632a07adb0c606a8165626cf57f54c088ee1649023d42595b893b25d66a10127b7c72c6a70adac876c4a10e053325f0db8ddef48a6f3e1fe4c10b75ddb24b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4bf612bd3d5b9fc9fc4beb53fad6097c

SHA1
9fafeaf7bcdd9eab9970c8021027a275fb21b828

SHA256
8da03b72156d8436000f19fa67f65f1cdfe89361c17aa194dcac53933945af3b

SHA512
335383dbd7ea4421759e3180ece8876cb5e3666c4907c707709f70a1a34a62ba424e9db5070caf05568af220ea951e3902245d37c049d3b08047e3aaff5c7c34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
47391944e455ed7fa57d6cb944c26598

SHA1
1fae3dd1c72da9b00787f60e85b3872cf2f59475

SHA256
d4252818bdaa1b530315e678a73debaafd7ff0d7776c91b688287d6efe637edf

SHA512
1109dfcaabb9072c4a2a64be1cd86437874a64cfb8e8a7187f6957defe681e45521ba0acb85152ba230bc528b72aaf4a3ff28a05ecfd7db1c31c3dacdd707370

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2633ba4fbe0df57dee2cd8be9bf8e65f

SHA1
7123f16c2e353e5897a2064d495ef2f1941cd313

SHA256
54fff8e0da6dc0de82bad221bc8d66ab61fb8c89d562da57257a29b27bf858f9

SHA512
196530f18fb7448f68c0af10d5a48238ed8d610c93519548a9fc88699af22a63c8385fd05da47fea87ebc64ee8a2839fd601ad2e58bdc21377b57fa65c4b07fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
67743f4a07e7a7f1bd47b2f79a854c18

SHA1
534b31424e64682f74c71a5938f1903937c7411f

SHA256
0313be495bb5bd2c295af88a206f6e1b47aaf4c96f1670ecae03db06ae5782d3

SHA512
b22d6e963a3d0f3f0064e1a5ff35db14bff822f581b178486c53ad13574e01817f49dcb5005e79159d0b13e79e3bad25bd8eef62a089a89ff65b1f05758e2b10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
7984f1cfe30c481d87a6b785ea572fe6

SHA1
6600bbdd5f106c61bf98c6fe3b515ecd3a524880

SHA256
db124dfd7b41cddeeed2702ad277ea20acb9b0095c69b93d26abbf8fcc4bccdf

SHA512
84b28d65a12829a220ecd53dfc64f1379688f41b5d0b664471e090a0d3d92edb132dff06c39fa332cb3eb4d365be04dce40207288bb5ccb236d0208e5c96e618

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
5996ea9192c24e8667b472b7433efc37

SHA1
c83c08f6f41c3a4de0f9c60efd345f43bd8d4e7a

SHA256
7c36756bb18bbb612db5fbd8c340b4bbbde97b5ded77bdf22a738435f795c92b

SHA512
94014c7d11caea381dc33560594ede8ea93d014c35088ae52407bf7a58e8e0970d993b58c7cdc1881f84c487e86204ce27f6466aa30af97779e3a3f77edb4be3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e9ca745d-818c-44a4-a9c5-ad5323e3e5ed.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.zip

Filesize
22.7MB

MD5
8d6a12c2c9db855245ea956089beb824

SHA1
c27449c5e6fb6a4512eda1a058ba91e4ebef1ac1

SHA256
1876a322ab5632ad1453b1eaf7b9ea9c20744b3babf5f8f2bcd52431b869554e

SHA512
100268f979bfcbb0a50bf909a2af3ac0123aed8505be7b0be23042b21941ba81cbd7faf5251e64978002c978c054718d4b5cffdd5f6a63986114de13e39432b3

Download Submit
C:\Users\Admin\Downloads\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.zip

Filesize
22.7MB

MD5
8d6a12c2c9db855245ea956089beb824

SHA1
c27449c5e6fb6a4512eda1a058ba91e4ebef1ac1

SHA256
1876a322ab5632ad1453b1eaf7b9ea9c20744b3babf5f8f2bcd52431b869554e

SHA512
100268f979bfcbb0a50bf909a2af3ac0123aed8505be7b0be23042b21941ba81cbd7faf5251e64978002c978c054718d4b5cffdd5f6a63986114de13e39432b3

Download Submit
C:\Users\Admin\Downloads\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe

Filesize
26.3MB

MD5
83b151ece7a21c944a7aaf8e6f7e91ce

SHA1
8704198c809fdf8f2841b0eebb5b33d8c976280d

SHA256
3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab

SHA512
a619685dc0e37adae6dc1f8720f4871c321e80e944ef6d2590689f7d583de0f973102d503d07f5b12b44be9fd319c6338c8678c80ecdb0f58a2752a5b462afaa

Download Submit
C:\Users\Admin\Downloads\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe

Filesize
26.3MB

MD5
83b151ece7a21c944a7aaf8e6f7e91ce

SHA1
8704198c809fdf8f2841b0eebb5b33d8c976280d

SHA256
3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab

SHA512
a619685dc0e37adae6dc1f8720f4871c321e80e944ef6d2590689f7d583de0f973102d503d07f5b12b44be9fd319c6338c8678c80ecdb0f58a2752a5b462afaa

Download Submit
C:\Users\Admin\Downloads\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe

Filesize
26.3MB

MD5
83b151ece7a21c944a7aaf8e6f7e91ce

SHA1
8704198c809fdf8f2841b0eebb5b33d8c976280d

SHA256
3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab

SHA512
a619685dc0e37adae6dc1f8720f4871c321e80e944ef6d2590689f7d583de0f973102d503d07f5b12b44be9fd319c6338c8678c80ecdb0f58a2752a5b462afaa

Download Submit
C:\Users\Admin\Downloads\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab\3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab.exe

Filesize
26.3MB

MD5
83b151ece7a21c944a7aaf8e6f7e91ce

SHA1
8704198c809fdf8f2841b0eebb5b33d8c976280d

SHA256
3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab

SHA512
a619685dc0e37adae6dc1f8720f4871c321e80e944ef6d2590689f7d583de0f973102d503d07f5b12b44be9fd319c6338c8678c80ecdb0f58a2752a5b462afaa

Download Submit
memory/1272-301-0x000001EDA0510000-0x000001EDA0511000-memory.dmp

Filesize
4KB

Download
memory/1272-309-0x000001EDA0510000-0x000001EDA0511000-memory.dmp

Filesize
4KB

Download
memory/1272-299-0x000001EDA0510000-0x000001EDA0511000-memory.dmp

Filesize
4KB

Download
memory/1272-305-0x000001EDA0510000-0x000001EDA0511000-memory.dmp

Filesize
4KB

Download
memory/1272-306-0x000001EDA0510000-0x000001EDA0511000-memory.dmp

Filesize
4KB

Download
memory/1272-307-0x000001EDA0510000-0x000001EDA0511000-memory.dmp

Filesize
4KB

Download
memory/1272-308-0x000001EDA0510000-0x000001EDA0511000-memory.dmp

Filesize
4KB

Download
memory/1272-300-0x000001EDA0510000-0x000001EDA0511000-memory.dmp

Filesize
4KB

Download
memory/1272-310-0x000001EDA0510000-0x000001EDA0511000-memory.dmp

Filesize
4KB

Download
memory/1272-311-0x000001EDA0510000-0x000001EDA0511000-memory.dmp

Filesize
4KB

Download
memory/3708-326-0x00007FF63FFC0000-0x00007FF642B06000-memory.dmp

Filesize
43.3MB

Download
memory/4060-320-0x00007FF63FFC0000-0x00007FF642B06000-memory.dmp

Filesize
43.3MB

Download
memory/4952-292-0x00007FFA38D50000-0x00007FFA38D52000-memory.dmp

Filesize
8KB

Download
memory/4952-293-0x00007FF63FFC0000-0x00007FF642B06000-memory.dmp

Filesize
43.3MB

Download