hxxps://cdn[.]discordapp[.]com/attachments/1201147609285415062/1203779993440755813/Release[.]rar?ex=65d2567b&is=65bfe17b&hm=c26553fe3b8717c1063853f49812a73d777dc71cea6d4e6899a7d25493ed8618&

Analysis

max time kernel
91s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1201147609285415062/1203779993440755813/Release.rar?ex=65d2567b&is=65bfe17b&hm=c26553fe3b8717c1063853f49812a73d777dc71cea6d4e6899a7d25493ed8618&

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3844	quantity.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133515480697848997"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
3844	quantity.exe
3844	quantity.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4524	7zFM.exe
3844	quantity.exe
3160	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeRestorePrivilege	4524	7zFM.exe
Token: 35	4524	7zFM.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeRestorePrivilege	3212	7zG.exe
Token: 35	3212	7zG.exe
Token: SeSecurityPrivilege	3212	7zG.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeSecurityPrivilege	3212	7zG.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
4524	7zFM.exe
3212	7zG.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe
3160	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3844	quantity.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 3784	3740	chrome.exe	85
PID 3740 wrote to memory of 3784	3740	chrome.exe	85
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 3176	3740	chrome.exe	89
PID 3740 wrote to memory of 1824	3740	chrome.exe	91
PID 3740 wrote to memory of 1824	3740	chrome.exe	91
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90
PID 3740 wrote to memory of 2408	3740	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1201147609285415062/1203779993440755813/Release.rar?ex=65d2567b&is=65bfe17b&hm=c26553fe3b8717c1063853f49812a73d777dc71cea6d4e6899a7d25493ed8618&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbda1e9758,0x7ffbda1e9768,0x7ffbda1e9778
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1768,i,2021688903052370647,11591685094779532583,131072 /prefetch:2
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1768,i,2021688903052370647,11591685094779532583,131072 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1768,i,2021688903052370647,11591685094779532583,131072 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1768,i,2021688903052370647,11591685094779532583,131072 /prefetch:1
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1768,i,2021688903052370647,11591685094779532583,131072 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1768,i,2021688903052370647,11591685094779532583,131072 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 --field-trial-handle=1768,i,2021688903052370647,11591685094779532583,131072 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 --field-trial-handle=1768,i,2021688903052370647,11591685094779532583,131072 /prefetch:8
  2⤵
  PID:8
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Release.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4524

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3296

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Release\" -ad -an -ai#7zMap14214:76:7zEvent26192
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3520

C:\Users\Admin\Downloads\Release\quantity.exe
"C:\Users\Admin\Downloads\Release\quantity.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3844

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6465686f2cb1df611917ddb5e8a8b5f0

SHA1
cf87a530ec67ad55fdb713090ef70ca372c4583c

SHA256
acd283b6cfe8268166cf383eb67f95984a2e60ccfa10d7c782fa93a8f4f7ad88

SHA512
35fa05b5e0f3fbd416c48f46c6cec6cbc25978d9b380d02db42dbeb3e3b8e4d6521517e6428a6cb77e1204002d783209f1842ebc64fc06efff9e5ca87da401be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
e9a02b7bbd1e336274408320c38ccae3

SHA1
1af73c857b9374a05ab5c102c9c555f561204cfb

SHA256
3b46340a45d2d864fa01755b0ef87ac1eb88af8d5a1fdf095cd6a2d764932fcf

SHA512
7fd57b6858dcf1b2880c16f36af702d691c437c5030892ce04d30eadaf501a8a8aedbe06e0cb72e6042250793c995bce481fa0d57c98951f181416bf40fcaeeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f2b454a4bcd97d7f48cd8ce21954678a

SHA1
704d0ec9e2874282b7763635a6c3bf9822d29e79

SHA256
d48077a8df2644fd52ee6b6eb17ed4a27a241cd559d9ac6fcf797be8c6141275

SHA512
fac8d10d0a26ddb634a96b0d4497625eed3b3487dd5937239377240c5b1ead1e51d09429d3a474ca5be2d43d8f1f25cc234aa65e5b93d10144c6828c769433fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
627672a8754d28904482efc1ca67f30e

SHA1
e331cc0dd7c5109e068ce44d91fe6981f2043bb8

SHA256
d42fd98ee6ed9ce38b0c2e5851fbf5262720b395bf67daac17c54907eca6c5d1

SHA512
c181c31229e1e992743da3b9a9dc39a643ff141de7f0652f9a0c66651f9d8b4ba266b57560b5e80890e10d06578174d7f0699930b28f01b6887775613715e71e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
c660da03f7305c4f11e7e1d6a68db930

SHA1
69061e146b032be830851027b0eb5f6ba96fe9cd

SHA256
5fb4fe60ae5b38f6ed2ceeb0f0016de6293cf22a7ef0dc1289c3d821b097dc65

SHA512
63ed695f22ad095ddddcc48c75c18922304e54002e26994761619ba8ae8272ca363eab29424a8f145b3e88eecd87417904d4c5bed766c68d79bf22cf79ecdc5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Release.rar

Filesize
459KB

MD5
4f6da6b64e7b27b64408af4f66cb0151

SHA1
7435f4a3b539c8c4d6bfa97ed160d1607df5899a

SHA256
7083f846cb9a420942447885c5c750a3c9dd81c305ae10f9c69c8306462df46a

SHA512
3e6286f70a501cf1257cbc80fdc3fb39a1bf437b95efbad75a86c2c36200a336524e7b13a850519e196c681940b9b283d730636230a7b1484cf1938597204e47

Download Submit
C:\Users\Admin\Downloads\Release\client.dll.json

Filesize
297KB

MD5
332c9a25c16c3554b36adaf3bfc1d777

SHA1
b14ffd5fad8278d2714f720b0a3c027fd012e5f8

SHA256
779dbf7f414948a7101023293359726c410e360e26bb7348c11432d9a6a627c5

SHA512
9b919c66505a43f758b5298e969ce469dd764a803be47f2794565209e4f4196d73fcb039a4d120b1519cfe824786418ed449ac9f813824cd762cfa5cebfd107d

Download Submit
C:\Users\Admin\Downloads\Release\imgui.ini

Filesize
130B

MD5
8088d78cdf20c315342262dbc8d2ecb9

SHA1
b2763107ec68d1091016e38dd22572a25695144d

SHA256
915297aaadbe987ac3a4ff5cd183ecd4c5aaaaf548df206e121016e3795135a9

SHA512
1f302f3d04cfaf7916d56626b95280706eff4958a43a4d19919de25a7abe1c4b6180dbcb8bc843bac9d2292160f11db5be0960876fa06f9aebd88defaf868b59

Download Submit
C:\Users\Admin\Downloads\Release\offsets.json

Filesize
2KB

MD5
334af9c44ed42b5d5861faa9949b1600

SHA1
2312bcdc048ba92c5e9bd3974c2271f3fbaf0c9d

SHA256
d2766d414c49ef19d47d74e4b3bc79ca30c530f78eb8d5bbc98ab9272f60764b

SHA512
fade1d9ca2b72412cfd636f5423304c049f7be0584fd18ef523bed53490c2ece56b113da44661422a8df5c1214a98ca95ee1d389e6be294f39e413a5aeb7dfac

Download Submit
C:\Users\Admin\Downloads\Release\quantity.exe

Filesize
940KB

MD5
e6ff1bd5cb677567d85855182fef7fc2

SHA1
4f66455fab1a714b98a6e9bc0cc25ad5e8ee9137

SHA256
bc407c953543743a7872b5f0f028c5be8d9df9249c75e7ae4a0b0d08ea59dcf3

SHA512
52467bb3509a7dab4a88fb686233b3a12f98155b68f142733278ba6dbd2e26136fae07af090064779af3b3813f6aa2ee8fcebc1e939cdba4ecbbc3d4e27da0d7

Download Submit
C:\Users\Admin\Downloads\Release\quantity.exe

Filesize
128KB

MD5
16990da917eaa05cffd8d7ef6cca2465

SHA1
3754d98778f2785350a47e6b048c9ea89a8e182f

SHA256
fbabd2f41fabf988773b5a84b02e8382cf005b4e57dd3e04567b0a8cb9636a45

SHA512
9600207cdcee04bec58d3bdc14ef36d5f84ec57bcb9e6fad8d658fb3d849ccce89e7c679777681195771c82f9424bf0cb86ef0eaeeb3e37896600b2cbdde435e

Download Submit
memory/3160-86-0x000001B7D9880000-0x000001B7D9881000-memory.dmp

Filesize
4KB

Download
memory/3160-81-0x000001B7D9880000-0x000001B7D9881000-memory.dmp

Filesize
4KB

Download
memory/3160-85-0x000001B7D9880000-0x000001B7D9881000-memory.dmp

Filesize
4KB

Download
memory/3160-80-0x000001B7D9880000-0x000001B7D9881000-memory.dmp

Filesize
4KB

Download
memory/3160-91-0x000001B7D9880000-0x000001B7D9881000-memory.dmp

Filesize
4KB

Download
memory/3160-90-0x000001B7D9880000-0x000001B7D9881000-memory.dmp

Filesize
4KB

Download
memory/3160-89-0x000001B7D9880000-0x000001B7D9881000-memory.dmp

Filesize
4KB

Download
memory/3160-88-0x000001B7D9880000-0x000001B7D9881000-memory.dmp

Filesize
4KB

Download
memory/3160-87-0x000001B7D9880000-0x000001B7D9881000-memory.dmp

Filesize
4KB

Download
memory/3160-79-0x000001B7D9880000-0x000001B7D9881000-memory.dmp

Filesize
4KB

Download