96dbace7c5d636a62634f50bba7097e7ce1af45e279e8d2c7947bc40aa418e1d

Resubmissions

29/01/2024, 15:16

240129-snmrmsebam 7

29/01/2024, 15:16

240129-sng66acfb2 7

29/01/2024, 15:15

240129-sm889acfa8 3

29/01/2024, 15:11

240129-sk3npaeadm 7

Analysis

max time kernel
162s
max time network
399s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dark_Queuebot_2_1_1_1.rar
Size

116KB
MD5

33de80ac7f391390f2844ae8ae04a96d
SHA1

7aa23d55a79e90e1990262edfcf39121f0851242
SHA256

96dbace7c5d636a62634f50bba7097e7ce1af45e279e8d2c7947bc40aa418e1d
SHA512

65472e779e7b2a826bd70996af93b4cf3ef06ad6da3b150b2732cf6ae1e23385558d6c933b485eca04ca67fadade08a8f7e1d4c5b16f145af338aef6a12663e0
SSDEEP

3072:eQZQsF9bPacnhoRsRKjpjyYc7OtGPFFNYbFVUOC+gQC:ekQsFFPaxvc7OtWYpVUOC+gb

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1776	MsiExec.exe
1776	MsiExec.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
56	3024	msiexec.exe
58	3024	msiexec.exe
60	3024	msiexec.exe
62	3024	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2600	powershell.exe
3000	7zFM.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3000	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3000	7zFM.exe
Token: 35	3000	7zFM.exe
Token: SeSecurityPrivilege	3000	7zFM.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3000	7zFM.exe
3000	7zFM.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
3000	7zFM.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
3024	msiexec.exe
3024	msiexec.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 3000	2500	cmd.exe	29
PID 2500 wrote to memory of 3000	2500	cmd.exe	29
PID 2500 wrote to memory of 3000	2500	cmd.exe	29
PID 3000 wrote to memory of 2628	3000	7zFM.exe	30
PID 3000 wrote to memory of 2628	3000	7zFM.exe	30
PID 3000 wrote to memory of 2628	3000	7zFM.exe	30
PID 2628 wrote to memory of 2600	2628	cmd.exe	32
PID 2628 wrote to memory of 2600	2628	cmd.exe	32
PID 2628 wrote to memory of 2600	2628	cmd.exe	32
PID 2880 wrote to memory of 2900	2880	chrome.exe	34
PID 2880 wrote to memory of 2900	2880	chrome.exe	34
PID 2880 wrote to memory of 2900	2880	chrome.exe	34
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1652	2880	chrome.exe	36
PID 2880 wrote to memory of 1272	2880	chrome.exe	37
PID 2880 wrote to memory of 1272	2880	chrome.exe	37
PID 2880 wrote to memory of 1272	2880	chrome.exe	37
PID 2880 wrote to memory of 3064	2880	chrome.exe	38
PID 2880 wrote to memory of 3064	2880	chrome.exe	38
PID 2880 wrote to memory of 3064	2880	chrome.exe	38
PID 2880 wrote to memory of 3064	2880	chrome.exe	38
PID 2880 wrote to memory of 3064	2880	chrome.exe	38
PID 2880 wrote to memory of 3064	2880	chrome.exe	38
PID 2880 wrote to memory of 3064	2880	chrome.exe	38
PID 2880 wrote to memory of 3064	2880	chrome.exe	38
PID 2880 wrote to memory of 3064	2880	chrome.exe	38
PID 2880 wrote to memory of 3064	2880	chrome.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dark_Queuebot_2_1_1_1.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Dark_Queuebot_2_1_1_1.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zO8BBE7116\start.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('The bot only works with nodejs 17.6.0!')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2600
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zO8BB5B6F6\start.bat" "
    3⤵
    PID:2684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('The bot only works with nodejs 17.6.0!')"
      4⤵
      PID:1968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7509758,0x7fef7509768,0x7fef7509778
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:2
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1568 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2356 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2320 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2840 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:2
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3220 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3444 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3596 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1664
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x1402c7688,0x1402c7698,0x1402c76a8
    3⤵
    PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4000 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2452 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2096 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3436 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:1
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:8
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4132 --field-trial-handle=1152,i,17170517321650848000,1755841905402583750,131072 /prefetch:8
  2⤵
  PID:900
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\node-v17.6.0-x86.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:3024

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1800

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
PID:2520
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1529DCC4C076B15134B24E3CE9F453FC C
  2⤵
  - Loads dropped DLL
  PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b8533ca920f3d9ea1f36815d360d8383

SHA1
240bc2d7825c9978b451721c3e2854cd3471f260

SHA256
c483a77e7be9ef9d64e8ca6162e7b34eab484e4b77dcc2ff8b3f01c35724e18f

SHA512
fa69617e5b2ef7f222399c5d703519fbf65398695a2ffd5cf6d42c1ea6172f7890dadf19ba6cb83fbbea04984b18a3d229e80735fff376b2e00d23ef65efbe63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0b9b133f-08dd-4e28-b34e-27687c3cfb74.tmp

Filesize
7KB

MD5
acf1d479a1251d0c1848cc316ef94568

SHA1
7e4719c97ba685641adde7c2c2d25d2276534aa6

SHA256
b347a7cfe62b764ce68be3c850a7309ad39703124be966fe57dbfe0c9f5dbdb7

SHA512
8eee02de85afaf7decbbe63bddf3c961aafb5624a1f558d791276c1aef576cb581ce45a8436a49493f134f249d5c2fe0ee01891d5a6abd650df6e1462d835232

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
40KB

MD5
1128652e9d55dcfc30d11ce65dbfc490

SHA1
c3dc05f00453708162853a9e6083a1362cc0fc26

SHA256
b189ff1f576a3672b67406791468936b4b5070778957ba3060a7141200231e4e

SHA512
75e611ba64a983b85b314b145a6d776ed8c786f62126539f6da3c1638bf7e566c11daf18d1811b07656de47ff8b50637520cf719a2cacc77a9d27393fc08453b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
439761d4f1b291921264fe6f8458522d

SHA1
7b1fda0936820028e4349cfcbc700965b373571a

SHA256
5a51309b6edffc173309d9abaf62a039bd7d7915301ed160ba745dbb367d46ca

SHA512
85a4d6294d8b242dba82057f047ddf333ba8f677de3f63df07899b40546f33ee3026951bbdfdd87622e3f20fbc02b557bc2efaa228c18f0cc0613fa789835c2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0efc8a4323675c7e5f1755fe79280609

SHA1
4dff9acce77956b2322b82a36ba49a55615bb69c

SHA256
be98c3334cbe3e133531eddea2a536333f0adee3a3b1bfde05c15234c5379a19

SHA512
8b23994ca2d83fc00c9788a51a83aa9d5dca00bb0b8f67de7ef6a950729fddce91cc9c1a8e61c32a378015ef549c81bc7421a28f36815c3375892b2ccce36b62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
64d566878927465e9bad316f6773aba0

SHA1
1eb13621e9e5bd837cf4ae03b69d30be8b7c5b3e

SHA256
97be725add8e5584708740376b86db17b82464e19503b6b7b9536bf61ad6126b

SHA512
364525d52be8e249e3cf1c93f33333dc169b2c1e3309fa02c058b0eee2d78e29ac0e3fb3ed452afb7e5d91248641d5c40b2e8f018695517f5b07001ba55ca1db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
a84aa79525576e7ca59cd3c8e55ce382

SHA1
befc9a7ae5734b40926c93c74ce5c31a9d7a007b

SHA256
bd134d4a754f8461a907d0f747a965e762cf2008cfa6b7051cf3c3abe1106099

SHA512
ef4e4781f4695a9850b4677c2f2394272b9592551f7918e2fe3e78fc7ec9996672d7aab3ddb46383e59f0de609783d62e2a6c8d32628c7879ee1ce2f43d70aa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
f37aa03612b4db3a3e5e8df86fe3e6dc

SHA1
b27b92cea8885dba8e431d7191a65ef969de6d66

SHA256
9a8e03e4eb1c93b4f704a90ebac5111a4929f0129cbbfbd1b3362ec311c59f34

SHA512
f4a77d5845c7f3542c243855b509202c93dbc3a150acc5a9f2a41cd0b5af6441df58a7d4d0979c834e23df44662f865cdcf9f203de85b40ea1b6ad8e3f6fd9e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
c7315844a1af1bc873ba76d065d1fa6f

SHA1
dbebebd5881043977303721e577c10bb14f97f59

SHA256
3d71da13527c4ecc126e41e962f8a2bf930b3b329a0b5aa1cd8dfcc2d61b00e8

SHA512
aa4121a1e34a51d0bd8095910c95a75f77666f5fde383fb319a8e30e63d64958cc32c2972e6642b0abf484eeedb4ad7e2e2a6213e45c959c6e25b61ee3af9466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
4be3b5bc83b9b5c49098d7dd57cfd9fd

SHA1
e17372c7626c406f76f99852c324b5a762dc6535

SHA256
a73467850be028387e99596ee3adbe4719716ed7907f5a66ccef1c3ba74ac17a

SHA512
951f30aa3c3a4e8e88dd7de70383fac489db75ab26cec010f808d24a7800ebec9aff18d7c340735b0c1d6b67133a51d7e053a46309f1ad4575188575a6c9c10f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
f94bec10df6a2a535482bc58ecbbadea

SHA1
be9dafd2332c4874ca2907921aa57c9fd17e3554

SHA256
16d4f7addda29715f34a4e9d9869cd0af884e9bdb5e34e6330e3b79d8fe2dec0

SHA512
428f3dae506411cd6c22ceb0adae225cc10b67a8a578a0e97f32a4ec745e42773f536c20a32197efa138516abeed90eb4490cde68f364a8a10e10eb435ce70d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
99d178ef6a21a4fa6dac0572857c5f25

SHA1
76b5c620755ff7ff8e045c838e47a282e658c8fa

SHA256
709df76b2580c4636bfc0ccc673b8252ebee5bafd33a23632a7ada4dc94f1c03

SHA512
ddd19a0110457303dae930c4d150247560e259e2053dfd5c83de6c14cb813484bee76ca6e535af2d3232b5647dd622845477bd67b971ed9ccbf3bf6c4b081ec4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
754f85632d0da58d5fdd1e8896908631

SHA1
ce3a1512d7d2eca38d0f287860997316a401b8a6

SHA256
7fe065f1af8831b18e3f714e44b525806e4d495ed1b9ee70a67c10698a721174

SHA512
5f712755e7bdbdaf67cbcc70f86f08bb207c4f724a635ad90060d485a6ae05110afb1ac5efbac8968629dd838fe87328c0c00bbd8b2aca9724f5958a5c2578c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7d856e7cf3ca889addb9d478271bb7f9

SHA1
b3773d7909427d4e04827cc273df02c9c676687b

SHA256
d319acd288513135563519c82773fa017d675665d89e72bab47eb7a75714251f

SHA512
aebf7df3ceb5906838db2de9f55c4733c2ab78c2a5740d803576dacd620c31ac7e042f1a598910e63616a7a84b4ffc6220395958855d3c9d098fd1846c69e74a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
866db072892089b98a674c993eb9ba22

SHA1
0ecfb60195b979e6224fd408b0b002de5f455a69

SHA256
e68739219d6129095d566911adab1c04c360c2fec9c2063e4f9072497d9f6b84

SHA512
e984d56b8f6d6080d086547845d83b8456c9af385cd24017ccf7994d760acda802116eb6c2d731df07ee0c2206844e81e50739162f8f1e05e3e8336a28353e99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
231dfd44103ca494749763c53ed8c072

SHA1
6b6fb5057be8106350c6d3ce2c7c1e6e3523af0c

SHA256
08fb17980df77f898ae2aeaf9c4f2fd3c9855963170dd65b6ff58f2ec1ebae19

SHA512
42ccf9f1cf6ddce6ac3926ae14ff2e5baa23a922fec9c75b91b3c79b6b2de7c61942a0ed4aed58314dad96db9008a13d2d34b83523a754d72f45e6c12bbe8bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b3ae3973-fdd5-4b98-8fbc-e9599b1d8adc.tmp

Filesize
6KB

MD5
d2aa2d5dc35270b8f08c48ecb06138d8

SHA1
40c78176a9de51e7b2118d0e28246a6f6fc48b4c

SHA256
fa5ae6a973e90b428be1183bbe054526fd5b0bdd75f490daa6ce546cccb12503

SHA512
79841c4651478a90d55fb9055ebc4d0a7ce4863ff273ee0b8463f0acbd80e788ca513983d11d630bd8cbc20ec88736332f38505bba2ec9388d7de1f9bb307a8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
74KB

MD5
c37adf0f6290ca5b181372b4a62913ac

SHA1
227c44ff40c805ddc8831f77c7eb515f71445554

SHA256
dfaf34b6ee72359c86ba66804aa378a59935f16a82e9b06d1ce7c6f9fb96a1c5

SHA512
7eced6e789bc12a7cb280d8df3551c5702bf36724ec60d8de4dbbf9b06ed7ff3e24443b4a3a0ed64f437faba695b0c3310e0b1b29f689e9ed260f8c67e8f1117

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8BBE7116\start.bat

Filesize
601B

MD5
a020c2692ea8307076e7f2ced6ffadeb

SHA1
eb59ee0f0fc39103e29493efbdd8e428610fb955

SHA256
58d7a19d79b5f4f3270e6154704be7d442184cc552d8d903da07352de0f415d6

SHA512
c9316b94ae668b8207c5518d88a8a51bba2835e29fc3fa5fb5f63e834e00aa13a558e2db21a1c2c55c4cad99a0b622fa0d37adc08429114d364f9e56115599b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA630.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA643.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\Downloads\node-v17.6.0-x86.msi

Filesize
26.0MB

MD5
0eb26a6b36d048df42bb4504da807bf3

SHA1
5aa345fcafa5c13fd7b11497bb0679476022b0ba

SHA256
dfd6925eb8b2045b1e0e479df53dc3ca591077168d5fbdf2e9532b0475d71455

SHA512
6651f4fdc96c3f791e114660ac89a7f9c6e487c9ef8820722ae1a232ce9142c9d82072c08d4e8ed8a1d8b1173c26538c0a88e509d068dfb2652097ca67c7814a

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB6F6.tmp

Filesize
99KB

MD5
0c473208596539d480f36db5dc1d715c

SHA1
dc49bc23d5029ef95e093fb8c54b4007cf3b6839

SHA256
3db16f098e26b822a3b4a67c14ce9ebdc32e18c7b69030d99cd2ef17a08d9a07

SHA512
9b2f0a33851641c3af1215621162f77287ed8144a6244c73927dd8344e1111a6214853152dafbe039fbb5987b03f443a0f4faa44dedf334871e46ddb8fd366b1

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB7D2.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
memory/2600-54-0x000000001BC40000-0x000000001BC9A000-memory.dmp

Filesize
360KB

Download
memory/2600-48-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/2600-52-0x0000000002A80000-0x0000000002A9C000-memory.dmp

Filesize
112KB

Download
memory/2600-56-0x000000001C7F0000-0x000000001C876000-memory.dmp

Filesize
536KB

Download
memory/2600-57-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/2600-53-0x0000000002C20000-0x0000000002C2E000-memory.dmp

Filesize
56KB

Download
memory/2600-51-0x0000000002A70000-0x0000000002A7C000-memory.dmp

Filesize
48KB

Download
memory/2600-55-0x000000001BCA0000-0x000000001BD76000-memory.dmp

Filesize
856KB

Download
memory/2600-50-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2600-49-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2600-47-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2600-46-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/2600-45-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/2600-44-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download