hxxps://drive[.]google[.]com/file/d/1-m_JuUMXABmwUlM2EEwmLDxWJBn17WTD/view

Analysis

max time kernel
146s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
14/05/2024, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1-m_JuUMXABmwUlM2EEwmLDxWJBn17WTD/view

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
55	3104	powershell.exe
56	3104	powershell.exe

Loads dropped DLL 6 IoCs

pid	Process
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
4	drive.google.com

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7E6D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F3A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F6C.tmp	msiexec.exe
File created	C:\Windows\Installer\e597cfa.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4918B2FFEBE13998.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2E67F7BB-C4ED-4EB2-B18A-C07C9C672006}	msiexec.exe
File opened for modification	C:\Windows\Installer\e597cf6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F1A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F5C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5EA396E1CE136AB1.TMP	msiexec.exe
File created	C:\Windows\Installer\e597cf6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9372.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F3B.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF755197C6A4A258A8.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3FD95959D2C9070C.TMP	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3104	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133601384755934953"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\x64__x32__installer.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1944	chrome.exe
1944	chrome.exe
3104	powershell.exe
3104	powershell.exe
904	msiexec.exe
904	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeCreatePagefilePrivilege	1944	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
4288	msiexec.exe
4288	msiexec.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 3092	1944	chrome.exe	80
PID 1944 wrote to memory of 3092	1944	chrome.exe	80
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 4092	1944	chrome.exe	82
PID 1944 wrote to memory of 3428	1944	chrome.exe	83
PID 1944 wrote to memory of 3428	1944	chrome.exe	83
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84
PID 1944 wrote to memory of 1956	1944	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1-m_JuUMXABmwUlM2EEwmLDxWJBn17WTD/view
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff87543ab58,0x7ff87543ab68,0x7ff87543ab78
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1500 --field-trial-handle=1808,i,15654491294745096392,15869411472905323258,131072 /prefetch:2
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1808,i,15654491294745096392,15869411472905323258,131072 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1808,i,15654491294745096392,15869411472905323258,131072 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1808,i,15654491294745096392,15869411472905323258,131072 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1808,i,15654491294745096392,15869411472905323258,131072 /prefetch:1
  2⤵
  PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4276 --field-trial-handle=1808,i,15654491294745096392,15869411472905323258,131072 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 --field-trial-handle=1808,i,15654491294745096392,15869411472905323258,131072 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1808,i,15654491294745096392,15869411472905323258,131072 /prefetch:8
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4068 --field-trial-handle=1808,i,15654491294745096392,15869411472905323258,131072 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 --field-trial-handle=1808,i,15654491294745096392,15869411472905323258,131072 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1808,i,15654491294745096392,15869411472905323258,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4156 --field-trial-handle=1808,i,15654491294745096392,15869411472905323258,131072 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=1808,i,15654491294745096392,15869411472905323258,131072 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5240 --field-trial-handle=1808,i,15654491294745096392,15869411472905323258,131072 /prefetch:1
  2⤵
  PID:4484

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:796

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe
"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe" -Embedding
1⤵
PID:4916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3392

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\x64__x32__installer\x64__x32___setup\setup.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4288

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:904
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EC179CE68AEE21EBA9B2AEFC82A7CB03
  2⤵
  - Loads dropped DLL
  PID:2644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss7FC8.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi7FC5.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr7FC6.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr7FC7.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e597cf9.rbs

Filesize
19KB

MD5
1e99757021cad9603773fd4a527e9e52

SHA1
17f19b0d8a21b147160c2d7d94f96480ed5e1290

SHA256
c9834c1f7471dfe62ad7177e14d1bb93c002e804b2f0bec8b2bfae5b61181454

SHA512
4a67e4dbf5b3b57a065f75669cb5a380e860a03013f321e226aaf9bd11d9fe146b7fdc70f79ef1a1b802aa3558e3a8a1a9728f3e6ea6e3cc53c90bdf91eb8650

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
7cb382a9375ebde03fd07e21b03d548d

SHA1
96c0eab2006d0e2bce6c69a8c972314f54e36df7

SHA256
aa858f4683ca4c72859512c4f79ff51cc520bedac8861cb43cf697b51a612ed1

SHA512
391b4a7f17459077e171e0b3d2a96e707e80e6c06b99cc2ed84ef44d4fbf3873509648c8d6e8d937b713a5b8ac7fac4b5de051294f310f1715c0eaa51a238879

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b89dadcdfc21fa7bf401b4bb8e3ca6ae

SHA1
04f3f4408ebcce1a9afb3d8990cb25e62984d78b

SHA256
2d2fa1a892bc763f61f16b3bf384d486289eebddb02619391c97df913b50401e

SHA512
eb2b5fcfba0a640398c71265338136f3f61b80f4e84dc1ad6c0a15205ad4925ab856870ab89d0bb6f4df106b940a5a276e06706e57b00f8d487b015cec5b30cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
1f63c4fce4112dd1f13021065e41b65a

SHA1
4c0794dc320fed1544818b9344aedbeae0a774de

SHA256
71dd6ba9b1b1c310097dc94540ec9599f368ee5f893ec6210400b6f7829394d1

SHA512
91538babc423a8bfee50bc2a285068cb3eee45dc3fb85d42b56998ba386f09d4af986b1ec8d72eedef1f8da3cde076b11f41ad15da596e3eabf0d765c187d06f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1016B

MD5
c02e10108e3ac59a7b1fb8b8415a8be9

SHA1
3306dfa04266f4138ddcc4cc83c6e54f825d0d32

SHA256
3d649296e226596352128e1ce7285cd08b5c2a229bae3fc3267768aaf9c6c9ab

SHA512
40cc279da6f52a4344188933906d58aa0003832e5802712327f055f88ba64b7f36567d1c954693412812149f30fba99bab2bdc75104e10ca394628d1d5c1a88b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2bc9e293c4ba407748d788bca1543707

SHA1
2a74a191ffd95bbeed84629826534fe698dcbfef

SHA256
e2291fe84fa873ba3c8266a65ede20c5644e80cdc2b84324ce0952967e5db3bd

SHA512
e7d45e9dea83eb32ceb99b7a650439238a4a27c08094d2c4fd4cd12f751de75503335ff3085b9b4f5ec795982c496006885dc479e6e435bbac21ff6def7038b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7779a3a83e477b1432e21f6ae1e2e5a2

SHA1
8eddcc882872d795e47757f31670d50c7bda702c

SHA256
6c8b64ca44cdfca7cb40178c63e6ada3b76cd46b74abc8fa73e19c0986fa2cd1

SHA512
6cd93a9f18138872629c2d604f69f931c070f1aed901ff3a7ec280f0b51becb5b31c463adf14ccdcd9c28b17b320f16abec6e1edd77ef5eeeac033e4f610ba9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6a34378d60e31380fa15755624c75a77

SHA1
81a7303f9c146efe3b7509c89588ff106fbf2095

SHA256
10636b66e589c62beb74dce35c90802601b734b2dd6fe02f69f8094540231903

SHA512
5ae9c2c162a2f9bfb970b5ed141e6bebcacc67b7fa5f02e3a71ef7ed3c58b3cc0ea0f14aff340d5638819de28812215f10db9213283f124d36f4511583280dd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
58219c9b68b2ec9b167e3e3c1f68056d

SHA1
932f9ed298742888f3976cb32f55720545b6abf6

SHA256
0a63eeb32a31437de6d35d9479af169c4f630ead173a68d2fe6ad42e7c84926b

SHA512
eb935676031df763697d27fe7e2acbf339a003c97181a6d4fb7154df6e9a8176ff20d3d8297ad8c16e26176e5ab9c9e98ba25b1106f33aecaabb9ada58a90343

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
ee4df995eb95027c1f37d383ad2a1e4a

SHA1
54df4054bd749a4c0058b756a9ae3703afca6c99

SHA256
ec4b2858de06dabfaa3c5240099e3a8e87612ee7f13fb02b2b0249be71b907ad

SHA512
f0363462353b07df937cd21335ddea5ef2047a55d08b38f7767da52b32e8964de2fae447a3818e9114b83af00899a387f133dc7337b27d1b9a8cb536b44f8a07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
f62338a445c337d18256bcc847dcd729

SHA1
ec55a3f54fc5cb2d09496d7bb8bf81dd1a4b95b7

SHA256
04419f33a377d1af655d3f23fab2ad625310a1a9197c8e029001df4e3bbc94d0

SHA512
32af33038dc9618e707834a46369a70c13ecce7da2339c5d4b36d97d0828b5229100debc6f6d81861e7ec9c0e4097a432b220f50b53b71531a66a7918fc8aa3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
88KB

MD5
aff4439814d38e4934f3b9ba1c8bddd3

SHA1
63f3dc686a45ba93d1de3bcadd86e095ae5c30e3

SHA256
4140c9340cad77cd821f38d786fe8ff0c53cd9b2e525424a772c0d8a9b7b1187

SHA512
c3c495e8ba81d1baef0dc0ac43d36d3ffa0a533d16e803d675d2ac7c07d6216f3994382a31c1e27c4e80b61bc6a665d5c299376699a6d22579506b1c1eff3987

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe585dfa.TMP

Filesize
83KB

MD5
92e6747051b468ad0cdd1e0df348dbe1

SHA1
1edbb054ecaf0ddf74fabfbd8f955c0ba279ec23

SHA256
70728b2e3fe9bbfb4c38a449c49ba126fc7ee4ab099614d7d2444759ca24864a

SHA512
aeecf92d2401be1b3973b1104f5a1727027997ecb4e1775f5590084d91c2cad8ec179cf496ba1882b8c85fefacb694885c649976867918e1141f3374cd1324fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
90f388f17155528a2f79735b9a1dcf1d

SHA1
93dc4fc93861969f7d2fdde555f38021c9edce38

SHA256
43a57b4672f8459a992cb0116f1d065bdb2a774efe43d166cbb0e1a864162d22

SHA512
bdbc8c4afef379389dbf8e9aa49ed3fb5323910da44b95169b019301cc2485bd99542bb71e3efc3f1142fd9cb0f1dc1ab7f8ba01cad3bcf00d614ff28116eb9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l4cpdfxs.j5a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msi7FC5.txt

Filesize
54B

MD5
db420131f396adc6189eb74ccab4ef61

SHA1
f7a0653289e00ae8a37836e4bb0c484a5434f4db

SHA256
20712a091c0903c153ec0394f349e4e687fc16980c77434fab8af6c768b4de22

SHA512
8f29ec5eae268faa330bc71859bada8e36b6f53e27d819dff04451de2cb644307c80f64f71b5768906a6c5eb28e5e77f4a1b23dde01bbfa0e6b9575c4fd92f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss7FC8.ps1

Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr7FC6.ps1

Filesize
558B

MD5
32aaf95e81f7c25950c11c53615c753a

SHA1
603ae202e859261d2ea09ac44f84d98a44007316

SHA256
e523cdefc4d381fd0bb040f80f8ebcba9a022c7b731d1e3fba27ef0ad8643a58

SHA512
4076c6b5a77ebc5c5e02c28269cf4751644a508c9661806e7560664e9c9379c808ca8c0860e6efd4ea3c837edbcbc4b20060413012e5f446f17a44efcef517db

Download Submit
C:\Users\Admin\AppData\Roaming\Vuis Queue\AppQue\libgcrypt-20.dll

Filesize
975KB

MD5
24dac6152c216a1b7b1afef7c36e2b65

SHA1
a832467931f07b3f41772d89feb194a90be4119b

SHA256
784af4a0d287a6611d5ee4fda32e31d7b3d5afcd14bca75d2564bb9f0045b449

SHA512
b4da7fe3e32fe1dc89197ec4f0a84c1cb38ff4d872f842f4692d1520e2b39efd2d7e3b928a8e225d2504aadf72a923ed7ee7e3552988c6365b9b30358912d6ce

Download Submit
C:\Users\Admin\Downloads\x64__x32__installer.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Installer\MSI7E6D.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSI7F6C.tmp

Filesize
758KB

MD5
fb4665320c9da54598321c59cc5ed623

SHA1
89e87b3cc569edd26b5805244cfacb2f9c892bc7

SHA256
9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59

SHA512
b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

Download Submit
C:\Windows\Installer\e597cf6.msi

Filesize
35.0MB

MD5
f21f1b608d45926927f6178511bdd579

SHA1
a1a251359d7cea7dfeb52d1314bc460144533eca

SHA256
b089485a125e744a166fc05cef1ec2ed5eeaa51b12f3b8e8d0adc73e7579cc5a

SHA512
66521db47efc6a6f82693330af0e612886e7f0f13c7737da6459c0abb937ad1cbcd1376dc9fbddd6d78af551bc38913871e2e21e48e8d5ed630377b523e8f276

Download Submit
memory/3104-297-0x0000000005480000-0x00000000054A2000-memory.dmp

Filesize
136KB

Download
memory/3104-310-0x0000000006260000-0x00000000062AC000-memory.dmp

Filesize
304KB

Download
memory/3104-309-0x0000000006220000-0x000000000623E000-memory.dmp

Filesize
120KB

Download
memory/3104-312-0x0000000007990000-0x000000000800A000-memory.dmp

Filesize
6.5MB

Download
memory/3104-313-0x00000000067C0000-0x00000000067DA000-memory.dmp

Filesize
104KB

Download
memory/3104-314-0x0000000007310000-0x00000000073A6000-memory.dmp

Filesize
600KB

Download
memory/3104-315-0x0000000006840000-0x0000000006862000-memory.dmp

Filesize
136KB

Download
memory/3104-316-0x0000000008010000-0x00000000085B6000-memory.dmp

Filesize
5.6MB

Download
memory/3104-308-0x0000000005E50000-0x00000000061A7000-memory.dmp

Filesize
3.3MB

Download
memory/3104-318-0x0000000008790000-0x0000000008952000-memory.dmp

Filesize
1.8MB

Download
memory/3104-319-0x0000000008E90000-0x00000000093BC000-memory.dmp

Filesize
5.2MB

Download
memory/3104-299-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/3104-298-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/3104-296-0x0000000005820000-0x0000000005E4A000-memory.dmp

Filesize
6.2MB

Download
memory/3104-295-0x00000000012A0000-0x00000000012D6000-memory.dmp

Filesize
216KB

Download