652b30176e26149f136abc39493e79557343fed3bba35b87578d71d65723ac81

Analysis

max time kernel
99s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 14:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

BClickerDownloader-v16.exe
Size

11.8MB
MD5

45498584f4ee39c214b7836871726197
SHA1

4856de05038019e7a153240094c0c0636ed70b04
SHA256

652b30176e26149f136abc39493e79557343fed3bba35b87578d71d65723ac81
SHA512

293d51507cf1248351fd23ebce8f29f6054d9968f6082ddfcce5192465925a3e13edbae305e220d921b3687b7716ba19b4efd7fadcda83e18f98df37f31d0155
SSDEEP

196608:StSXXcJQa/He8+cgJEqV11c7wautTQ1Culhvrxea:osTJ9SCcPe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
968	BuzkaaClicker.exe

Loads dropped DLL 4 IoCs

pid	Process
968	BuzkaaClicker.exe
968	BuzkaaClicker.exe
968	BuzkaaClicker.exe
968	BuzkaaClicker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133652677639638817"	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	BClickerDownloader-v16.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	BClickerDownloader-v16.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	BClickerDownloader-v16.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
368	BClickerDownloader-v16.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
968	BuzkaaClicker.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
368	BClickerDownloader-v16.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
968	BuzkaaClicker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 4476	368	BClickerDownloader-v16.exe	87
PID 368 wrote to memory of 4476	368	BClickerDownloader-v16.exe	87
PID 368 wrote to memory of 4476	368	BClickerDownloader-v16.exe	87
PID 368 wrote to memory of 4788	368	BClickerDownloader-v16.exe	88
PID 368 wrote to memory of 4788	368	BClickerDownloader-v16.exe	88
PID 368 wrote to memory of 4788	368	BClickerDownloader-v16.exe	88
PID 5032 wrote to memory of 2628	5032	chrome.exe	92
PID 5032 wrote to memory of 2628	5032	chrome.exe	92
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 2068	5032	chrome.exe	93
PID 5032 wrote to memory of 3532	5032	chrome.exe	94
PID 5032 wrote to memory of 3532	5032	chrome.exe	94
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95
PID 5032 wrote to memory of 4400	5032	chrome.exe	95

C:\Users\Admin\AppData\Local\Temp\BClickerDownloader-v16.exe
"C:\Users\Admin\AppData\Local\Temp\BClickerDownloader-v16.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\wscript.exe
  wscript lnkToDesktop.vbs
  2⤵
  PID:4476
- C:\Windows\SysWOW64\wscript.exe
  wscript lnkToStartMenu.vbs
  2⤵
  PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x11c,0x120,0x124,0xf4,0x128,0x7ffc8f5ecc40,0x7ffc8f5ecc4c,0x7ffc8f5ecc58
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,15041771809971163914,16652846008915949802,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2200,i,15041771809971163914,16652846008915949802,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2428 /prefetch:3
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,15041771809971163914,16652846008915949802,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,15041771809971163914,16652846008915949802,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3264,i,15041771809971163914,16652846008915949802,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,15041771809971163914,16652846008915949802,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,15041771809971163914,16652846008915949802,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,15041771809971163914,16652846008915949802,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4744,i,15041771809971163914,16652846008915949802,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:5008

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4564

C:\BuzkaaClicker\BuzkaaClicker.exe
"C:\BuzkaaClicker\BuzkaaClicker.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BuzkaaClicker\BuzkaaClicker.exe

Filesize
1.2MB

MD5
e75cc194d0fa05153558a32ce48b0fdd

SHA1
0c2ce3082456ef2d390c834c81b7ed742597a52f

SHA256
668b879354eb7ce2665a1b248c1ed4f8398718ebe832b9d8f9cea9d623ac9019

SHA512
af1a5b05d0ce2d4f9df3a5bfeba90cb7570b50a9ac77ccb5f47c3ed4926cfb2c589d132fc46fa1e276d400f8c900318d6876effb8c1ce900e84b48b042f5e26c

Download Submit
C:\BuzkaaClicker\MaterialSkin.dll

Filesize
570KB

MD5
97568affe657fb77de46e56cdd1b03a2

SHA1
31a94c5c71f3bb79cec203ee049626edc3a41c7a

SHA256
d63d8e7acc51326a94a11a3023b6ff297f8eade7e4aacbcc236430723f6f1414

SHA512
3d673bbc273b32b9a1add254505ceb785157e4768f67cc25fa810d4b37770923ef3c17d34ff8dfd9c4d5acb818c42319ed1992311ed1e68de5e2a475882b2f15

Download Submit
C:\BuzkaaClicker\Newtonsoft.Json.dll

Filesize
492KB

MD5
5e02ddaf3b02e43e532fc6a52b04d14b

SHA1
67f0bd5cfa3824860626b6b3fff37dc89e305cec

SHA256
78bedd9fce877a71a8d8ff9a813662d8248361e46705c4ef7afc61d440ff2eeb

SHA512
38720cacbb169dfc448deef86af973eafefa19eaeb48c55c58091c9d6a8b12a1f90148c287faaaa01326ec47143969ad1b54ee2b81018e1de0b83350dc418d1c

Download Submit
C:\BuzkaaClicker\config.bclick

Filesize
211B

MD5
e7f3107ee6c29dccfce2ea8a7b484aec

SHA1
8e5b29c8b7a125fc0e43fed07e9f4fa533664ed9

SHA256
4f02942fb08130ba6202cdb541976ca5d21ffb163a3c9a5811911be2c5fd2d73

SHA512
9c81d94c8eca06a97338632a8a26e38ed1c1f3f56b3763f570af455384fce6f6ed982a942fd020b731edc88be030145325aa6b527eebf11b9292db7fe15bf49d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
99814eac6fa09ba6351d1982f642caa8

SHA1
29fc3e8146106968abdeb9d8fcd0d162522c517f

SHA256
0af2676b56e52288c5819df37b6dc59b78a03737f4f30e0aedd61545ea627291

SHA512
c51abd3e58bb71db3419cd72b788709054c60c11e4743605517eba24cb044bd6177620212f4f0cfbf9ed5393b73840b06cc6636f9768fd553b63bba291108f56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2d77130634b572f66c494f44a25f8298

SHA1
c8c1513ec5873bd37fa7b4a0129952f82db2ddaa

SHA256
31fb92ed573eb7e240f3d4e243e7e5553fcbd0727eb511533cf925564a663ac3

SHA512
06d1c6185fbd3e6c24e60beeb751a56b668274ff5efb74db0e2ce81b765b4f3743e4f28f9f4d04fadded95866ea97b551ba448e5ce69560be3805752bf7edbd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
924c9995579975f8430725091112d873

SHA1
f258184ff61f6b74ea5cd64930de849640bd3164

SHA256
c235b83762b1ccf812fe099db0558de5b3ffddf34952b91555c94e5c85c277e1

SHA512
c704b9d1f6f01a7f3f3b71a571b45d61a1ec1b077a99f025ef06a9f0fc3edcc340b8352998bc3615deb98e3ec7eaa8b7e3efd815566f42c76586e6391143ab8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7389509067803d5250df5c02a569dee9

SHA1
d8a60853c6daa2fa5a2e35abd1defa74de4362eb

SHA256
89230789e862a5ccdccaad150c2fe4df76b798a91e69bfacbb085d3212b3cf65

SHA512
1e75302ef954ea136a5fff0ac4de2b9078d959297ded5de8bdd14b9f4848000ec82fd042d88824d26025b5a851d71cbd427c2b16258810cc9237e6ea01949fe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1bad8c1fe1c434925c5d71609979222d

SHA1
4546b93d6b7377d9fc88c639951dce45ca02fe8f

SHA256
1981c92fa0ee90aec0337154b9ca7d6ebbeb72cbd39258ef29fce621078192f5

SHA512
02598d413bd6472c654f2cb0bbd774e698a987525e85bdaa458c72fbe0eb20d502f9fdece099b41c555f59932f461783043edec3bb4daa6b0d742c264afc9cf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cbba877d896b95edacd690515954beb6

SHA1
b500624035e5ea1bef75b440fe682d7ebd0b52be

SHA256
c374eabeb6d4b4e84d274b176d1bee912f3b096c63d953817e16ee18f6c8553d

SHA512
908ceec5976f0c0f2a8226cdb51409748dc561cce7dbbb5fe9cdf72006883f264f000c1a16e90e7d650ccb2018c94244e93cfc74700614755da45504c33f4ba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
76472fadabce329068ab364616bcc42b

SHA1
be124a8e131b5935c52f6c625125f3cb29cf6eda

SHA256
6af66fecdb870d797e99e3a8517500d0d7a5a5ad4dfa47e58990dba8386f31d4

SHA512
ddd181c954e5d9bc9f75739296d488c66aab9dc0b75c3b88b80e9cfcf3434e5c50e7d165bc3081f818363db31dba0063b527c786a9de9cf14ddfe330c4fc8f92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
182KB

MD5
f999ccae056f5bdb01e86d5c438c3332

SHA1
d5604c29522e46fce5e764a96fc7a4b74d989141

SHA256
4d2f27c8172125934e26678a3804cf82ed0bbde7df6d3b16f5acda0052e923f3

SHA512
58226a186dfb97c66793a6f5aa1cc756d49d5452dddd6a5f3aa65ff3d74a9a9feed55fa872de75bfcbcf74135c2b41c9f67d37fdaab83826151d2b429c10d043

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
182KB

MD5
697ec087467d7b84bf39c175627cffba

SHA1
0a6ed895b90d878407078ead702647732fe09e4c

SHA256
59a07913001590258691448fb2355c07b1041af9d7780cc48ba4c0d8a9c51282

SHA512
0ed445c9427cc08be239210f0c74c6a88c4f7f45e788e1e3bb3a4c9aa911fe88850feae4205d455d58b9c1ac9b18af0873ca0a7f80272f7e75714ce89a8c1525

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
b91769d6e3f22e28f369ef6666457648

SHA1
c3810cf7052e0c04d4e97fa1d358aafb71f3b337

SHA256
7aadd02690962c24ac01d039f98041d2d4c34bec74e16e94d7495557320ccc75

SHA512
9b071ece2e5a0c4ce8ba73edfd99c98a3cf122ae1e4a64af3f1f011d89c97eb2c4b144a7ac9a6e1b39c75224fe40e75974c2996c1e39ef0cc314ba3ecee0fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnkToDesktop.vbs

Filesize
465B

MD5
f4f8b82b3b3f7ba8c00c712e4fc69c13

SHA1
9ad34210adecf47ad0ce68ba2034a02fafc586fc

SHA256
93f9f275c48bcacfef4773b3b339f0a82555ee36f68af2214e93e3e0001880aa

SHA512
be2fa604d228668634fce10d9245eae90b4ee7f62eb4b360b28100e0ab351bd4048dd5d78db632355646bfeb3d867af20d428b5968c25b08230b26be52487895

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnkToStartMenu.vbs

Filesize
467B

MD5
77aa925be8b5f21bef1718a3e87b9835

SHA1
63c917dd13c77301238ad58e3bbf4eae6cc30acb

SHA256
21cd6a49b45e23e079009a885e2cf36fddc6efcfb7aae92bcab0232c93e8e18d

SHA512
ab3ffee3a0e20ff0cba51de38839ab632067875373c59691740ee2dd8516394ab39203c1d7360a9f2e546fa4f623d6b91e524b55ffeb3db60c4855f83d0ba782

Download Submit
memory/968-216-0x0000000000620000-0x000000000075B000-memory.dmp

Filesize
1.2MB

Download
memory/968-217-0x00000000052C0000-0x0000000005864000-memory.dmp

Filesize
5.6MB

Download
memory/968-218-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/968-219-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

Filesize
40KB

Download
memory/968-223-0x0000000005100000-0x0000000005196000-memory.dmp

Filesize
600KB

Download
memory/968-228-0x0000000008DD0000-0x0000000008E52000-memory.dmp

Filesize
520KB

Download
memory/968-229-0x0000000008B00000-0x0000000008B22000-memory.dmp

Filesize
136KB

Download
memory/968-230-0x0000000009A50000-0x0000000009DA4000-memory.dmp

Filesize
3.3MB

Download