hxxps://mega[.]nz/file/FPVEwabL#waILPNgnCHx8BbZx0q52md8eOSSkMppN3DYgMl6eLqc

Analysis

max time kernel
221s
max time network
223s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
26/03/2024, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/FPVEwabL#waILPNgnCHx8BbZx0q52md8eOSSkMppN3DYgMl6eLqc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Control Panel\International\Geo\Nation	ONENOTE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Control Panel\International\Geo\Nation	ONENOTE.exe

Executes dropped EXE 2 IoCs

pid	Process
3152	ONENOTE.exe
4104	ONENOTE.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3152	ONENOTE.exe
3152	ONENOTE.exe
4104	ONENOTE.exe
4104	ONENOTE.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1484	3152	WerFault.exe	98
3248	3152	WerFault.exe	98
1004	4104	WerFault.exe	110
3596	4104	WerFault.exe	110

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	ONENOTE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ONENOTE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	ONENOTE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	ONENOTE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	ONENOTE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	ONENOTE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	ONENOTE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ONENOTE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	ONENOTE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ONENOTE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ONENOTE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	ONENOTE.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133559235491107370"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ONENOTE.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1692	chrome.exe
1692	chrome.exe
4608	chrome.exe
4608	chrome.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe
3152	ONENOTE.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1692	chrome.exe
1692	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: 33	2104	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2104	AUDIODG.EXE
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3152	ONENOTE.exe
4104	ONENOTE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 724	1692	chrome.exe	76
PID 1692 wrote to memory of 724	1692	chrome.exe	76
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2556	1692	chrome.exe	78
PID 1692 wrote to memory of 2764	1692	chrome.exe	79
PID 1692 wrote to memory of 2764	1692	chrome.exe	79
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80
PID 1692 wrote to memory of 4240	1692	chrome.exe	80

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/FPVEwabL#waILPNgnCHx8BbZx0q52md8eOSSkMppN3DYgMl6eLqc
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa09469758,0x7ffa09469768,0x7ffa09469778
    3⤵
    PID:724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:2
    3⤵
    PID:2556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:8
    3⤵
    PID:2764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:8
    3⤵
    PID:4240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3156 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:1
    3⤵
    PID:1676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:1
    3⤵
    PID:4336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:8
    3⤵
    PID:868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:8
    3⤵
    PID:3764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4972 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:8
    3⤵
    PID:2456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=832 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:8
    3⤵
    PID:796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2904 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:8
    3⤵
    PID:5116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2312 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:8
    3⤵
    PID:772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:8
    3⤵
    - NTFS ADS
    PID:3264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5084 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:8
    3⤵
    PID:932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2208 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:8
    3⤵
    PID:4692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 --field-trial-handle=1868,i,11731866439356610774,10355236100575035100,131072 /prefetch:8
    3⤵
    PID:3676
- - C:\Users\Admin\Downloads\ONENOTE.exe
    "C:\Users\Admin\Downloads\ONENOTE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1448
      4⤵
      Program crash
      PID:1484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1396
      4⤵
      Program crash
      PID:3248
- C:\Users\Admin\Downloads\ONENOTE.exe
  "C:\Users\Admin\Downloads\ONENOTE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks SCSI registry key(s)
  - Suspicious use of SetWindowsHookEx
  PID:4104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1160
    3⤵
    - Program crash
    PID:1004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1236
    3⤵
    - Program crash
    PID:3596

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:232

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004C0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3152 -ip 3152
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3152 -ip 3152
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4104 -ip 4104
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4104 -ip 4104
1⤵
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
58d8564facc8931684c09e9758a40f70

SHA1
1481def8847c3dcab1061bdfc292c85ce9dd6052

SHA256
4ef933ae6169aa89f7666a9371157da6b02a78110a188b3514a5a35902f12df1

SHA512
863f17800110032876bce3f581ff195eab87f3a4253999e56e3eafb91441d1a8c0e6033daab18e4e1f7b32bb981cd59e3687f6ae0b1cb736f250e9c75e231cf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
873008fce6dc114d86ce0f45abb71254

SHA1
a4243cbf8d73b20871e9f7884563f8fe592e43d1

SHA256
2c612c770682a272040035b4c38e27a9256e33e289dc579705883d46d154a14f

SHA512
7332ebb3e8b3334893e006327340073454595639cc490cfd55562c944b4a14a63842d9b8fb5e8b06553630cff3fbf93c983629e96d383ea2ce9680ba06702703

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ea01479f462c778e0e9ddead79752883

SHA1
bfa04ce9d72ca7897ed24b57f773cc26395c92a0

SHA256
3024223b6000c169a7e774ee3ed52cf55ad6a5d29ff293ec1d66f95e4861ec42

SHA512
5920d2e283f75f06d0f5f6da1e7d1c48f4b7e36a56118c445c64319e0a0df22537529c2f9788f36885b99caa4dac50d069e31738baeca3b6dcc313de155f0763

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
961B

MD5
7d507a0c93ff0a85eb3f12058aa731cd

SHA1
d52cdf0d7e36c0a386c56fd771eaa90dce2b51be

SHA256
3d2d99f65159619d7dfacf7073ace7e5b3010972cd309f5daf1de2e192b25d00

SHA512
fd155551b0505b94631fc7147c204bcdcdb53f2b866ef6c31e49ff83b3dc0967ef5de1571266a1e3fbfc17fefff5c7676eab7ba77ece6e3ddef6296a5d468eff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
879d0837415df959e1d02ad9e1050a43

SHA1
9ed83ac7f8ccea15f606ed32567fd6fe4e13af72

SHA256
3f9bb15edc7dd63913496d41abfe81f37a818681671f0558b9b9b7b734fb1d55

SHA512
b820089695f37eb773145ffd1c5641aa428478ddb0cde7b0cd61777b877de917a0749cf50a85d39e5e1100663c3fdb2351c6cad024bd78000f20adf2b88a2bc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4c7fb9e07a4def0ebf573763d124826a

SHA1
56d54b4198e7ed8dc8afef03f26d12fe37669bce

SHA256
6015668ec9c124d4a03e8dab63eaba6b9524112457d2b8f7fcd1afdec223788d

SHA512
57b03d4127ad5f620125110ac4b424e6c940a614d6391bc01b73c54c82b89f7940cbdcdf1ade79313aec00857b8b17c3ff0ebede07818a6ae46e6465643b8e18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
76d460697cc185afb7b94194ea15f5b3

SHA1
a77c9d37df0f9b90ed367b866472a455458f640b

SHA256
fc8c680f72bc9b5aac2b9df2df8e0d6d90111b26baea40a347c9251e5cc93f32

SHA512
2358c3b2bac94dff5751b62a9de92a6c951c5918476311c55239f85d280a854d667b5c49c2a6b1618ca185dbb1728b9f805ad9dfeb6c83a25d2d3d393c702ad8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3749e53ba2ba5104c8f8a0dca2c5c450

SHA1
b5208d4a1f0f57d3d6f20e3427c7319e3643888f

SHA256
a063f42e441ebd5ca543196bbbf7d93b86587cd1120a6238dd4e14ed8af49d3c

SHA512
8f627cc5344fc7946c787b2b896bac81852056c2c4a87a28d35b61f5f7cea1c5aff6b580c804b660c3b621f1480780262b0857b545b3899972dc597219a4818d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
340dd781431de1073e53f82d4dbd3c94

SHA1
705ffd348d51f754a9249415b76cdf05c6d7c575

SHA256
5876022bce4c2a925e2573adaecff90d3fd281e993f8e77e33078904005ac227

SHA512
4f5bf02b1306b80ad40e0229bbe266e623b27a96ff67ba58f6040e292735ce14679b8c6a9a639676b155f41d995c1406dee5c5df17c89ed0793ac5829b00db87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e1861d5f07964ae88bd0701b6b73a76d

SHA1
02dacc9660fbede3ccd316ffb292d6d4ee5bcf86

SHA256
fcfb5f81ef318715ee21502b40fe8a0b6597e903a16ceab84e46ed51c2da83ca

SHA512
ebab72db967d84e92965fc177e2321ebf0ac84e8faafa48ea99cf001863ddd63e7284b4481b229ee752fd319c72bf769068da1b2d9842afa93601c10e031c4fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ba52888e5c03727e984c0984c5a2efc5

SHA1
c9adb8d2367e9b4818e430084c1f019902396cac

SHA256
ca40e03b61ba4ba78be9699767271ba1e21232d05256c70c95a55a54c1e6089c

SHA512
c98463ceeed3ecf43306b57f5c4e0bee02653b5154946733c56c53bebb14e69bf20965614fc0b893be801d5041559c8a74da366b5bc00fc6a7cee9e3ac7d243e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cd52.TMP

Filesize
48B

MD5
f614ac3970ce4d05e1463d906e6ef5e4

SHA1
26d8ebad7c0591288f313b79e52b54ecfb941cc2

SHA256
4fe5d3174b1e68f3379a94989a6be8e76c70c4d572a84bade2c4e6892cec894d

SHA512
69519db0c7842650b484e6c22ab2bd1b9846e51d860c91051e516e44139a41666550bd9671a735b543b0ac0e3cb6a4d5b67c5f9900839eef2d0c62fb0e8e0c54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
2afcf4a55654d8bbcd22a3c27d227495

SHA1
8a6dcf5bf432e772de73af3c25c905939a2a20f1

SHA256
5b6116ece2ab5f7a30f1a3b6355e0e756fd8c7490de63b112af29bff4908b82c

SHA512
39b99c811e6724de4bcaf0695e5bc36540bca29d4ae8206e7fef03967004e8642b956ae3b87d007d9db8e362ee78ffc2702a9c5f9dccdebb2862aa2526bc9658

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
ff47db465084ad9afd5cb04ee38a9155

SHA1
72bef1941ea70c3dd25fb1f77c090f3d25f95e42

SHA256
b170c2bd5de3cd234ef2c0fe62ac2a073f0dc39590bc9268adbc35ea1990c007

SHA512
48c93e6649378feb25f62a70c8af060d4563d8acd96470108b5e799539b59fc2719f10a2e1a7154042cde8c6ed6b55a77df322b128e993802380642afe1377f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
5c17e297fb61f84e6a56cf81b9810812

SHA1
564abf10a0fd262d60db121301bb11f3a2c025f1

SHA256
d22e11dc71d30b14aa1844307e97be8fab7588a0202c4768fb0862f8ecfab5b3

SHA512
71a5297eb04cd5527dcddd5d4f3aae441e27d55536271164f9cd6f433b3e42947ac4612c33e62a47cef63c38febba23d05eeaed7eb902f30b38ebd26f5f1f104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
108KB

MD5
873b45e8073a796320040ffe1adfa8d4

SHA1
788b9e1574a6994843b56ff10790d813c690b37b

SHA256
36681023fd1b50ca64ae01888797714621e51804d94c3b41811a67b50bc3a685

SHA512
ec5fd37c1b24e5ff6d165c1bc3eddeb8f37e4d6b21f9fc9e4c42e83e031d7f95d1aa24d91c40e770d619dbd1fbc92c23bb945cb20f7a9998560403e094cf24a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe594b09.TMP

Filesize
92KB

MD5
d36d58042251bad7e04831ea798696ec

SHA1
ee0bcb38267a099dd6976dff4d82109068a0645f

SHA256
22ab612ecbdf975e05e57d5ef760e1dc227d2f7d36e0e0ba69b46b7df2720fa0

SHA512
be61145ad5c73ce0763a300e80d1f432aeaee82809af131b96ebf04e740ee861fa2991fc6984f612e69c569cbe53356df5cc9d1d23f7eaba92b7f935569d03dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
8b0d413b81b7c6f0e288d16563851d77

SHA1
e8255efa9c2d602f27f6427c209e10d7ecb8c58c

SHA256
a294f57eb94f287835b45ae7a98c3838f4299b6115cbf7bdf06bc8208d5df811

SHA512
b141523421c856a92b4128acf750642a01f90dab4f3348694eb78bc76f705ec15093bdcea2a4ad6d2b640fce75240bc1c09099ffea26c2d66e13c1173ba4fa43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\ONENOTE.exe

Filesize
45.6MB

MD5
ad8d3bfd4f098e40573131362feb4c70

SHA1
55c6d87e2e6c1bc0387b2f79a58b60783d0cb3e0

SHA256
f3f8be601f0243204de8f66ef37180dbb46392f2a61af2fcbfcea3ab736b448a

SHA512
efa0416227d0ba7657d6b4c4c6f496fb50a2dc150cadf042ad0105b749ddb25cbc857999775e0fffc5d77a57ed029d38af011476e9541ac4fe34135dee36c507

Download Submit
C:\Users\Admin\Downloads\ONENOTE.exe

Filesize
54.3MB

MD5
72b03b30367e832941a0c42ae68b2203

SHA1
53614db84e731178741b5d18d96f44bed3d50706

SHA256
4ecbd02994bbc6c13d025cc81b123a1e4f91e394eca3f8eb77ab8e0f75f051b1

SHA512
5c17a50fc8bf6c257fd08eb40ceb8a862fac3774778315de2a0d1f9a50facb131cfb05dfc42ae5364e83edd7ddb20fdbcd4648d415f87dd0924b7a8dd3775695

Download Submit
C:\Users\Admin\Downloads\ONENOTE.exe

Filesize
206KB

MD5
f3d29a2b4a18259d29cd1be690853169

SHA1
9bbaf5966bbc7edf1f2428991a61326b93e96c5e

SHA256
900acf6637bbca1ba7d4570eb9fb90b6e2aefc980c812d8424c5db57692023d0

SHA512
5ec3868bca93e873c778e10a0fc4904fb954a4764831c2fb76a6aff6c596bd16ab936be69320b199ede5e8c74814f8c0b08a89495a6506e692bd850112ce5628

Download Submit
C:\Users\Admin\Downloads\ONENOTE.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/3152-288-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3152-286-0x00000000093F0000-0x00000000093F1000-memory.dmp

Filesize
4KB

Download
memory/3152-300-0x00000000689E0000-0x00000000689EC000-memory.dmp

Filesize
48KB

Download
memory/3152-303-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/3152-307-0x0000000077C17000-0x0000000077C18000-memory.dmp

Filesize
4KB

Download
memory/3152-308-0x0000000009B80000-0x0000000009B81000-memory.dmp

Filesize
4KB

Download
memory/3152-287-0x00000000095B0000-0x00000000095B1000-memory.dmp

Filesize
4KB

Download
memory/4104-311-0x0000000009420000-0x0000000009421000-memory.dmp

Filesize
4KB

Download
memory/4104-322-0x0000000077C17000-0x0000000077C18000-memory.dmp

Filesize
4KB

Download
memory/4104-323-0x00000000099C0000-0x00000000099C1000-memory.dmp

Filesize
4KB

Download
memory/4104-318-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/4104-312-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download