netsupport | hxxps://bazaar[.]abuse[.]ch/sample/0ecb6f595440040d3b91d220efba1be83db98201be5dbdc98eb1268439f17c4f/

Analysis

max time kernel
172s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
27-08-2024 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/sample/0ecb6f595440040d3b91d220efba1be83db98201be5dbdc98eb1268439f17c4f/

Score

10^/10

netsupport discovery rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Executes dropped EXE 1 IoCs

pid	Process
3924	client32.exe

Loads dropped DLL 5 IoCs

pid	Process
3924	client32.exe
3924	client32.exe
3924	client32.exe
3924	client32.exe
3924	client32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133692575725135350"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\0ecb6f595440040d3b91d220efba1be83db98201be5dbdc98eb1268439f17c4f.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
584	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4904	chrome.exe
4904	chrome.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4888	7zFM.exe
3076	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeShutdownPrivilege	4904	chrome.exe
Token: SeCreatePagefilePrivilege	4904	chrome.exe
Token: SeRestorePrivilege	4888	7zFM.exe
Token: 35	4888	7zFM.exe
Token: SeSecurityPrivilege	4888	7zFM.exe
Token: SeSecurityPrivilege	4888	7zFM.exe
Token: SeDebugPrivilege	996	taskmgr.exe
Token: SeSystemProfilePrivilege	996	taskmgr.exe
Token: SeCreateGlobalPrivilege	996	taskmgr.exe
Token: SeDebugPrivilege	3076	taskmgr.exe
Token: SeSystemProfilePrivilege	3076	taskmgr.exe
Token: SeCreateGlobalPrivilege	3076	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4888	7zFM.exe
4888	7zFM.exe
4888	7zFM.exe
4888	7zFM.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
4904	chrome.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
996	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2236	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 4124	4904	chrome.exe	81
PID 4904 wrote to memory of 4124	4904	chrome.exe	81
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3372	4904	chrome.exe	82
PID 4904 wrote to memory of 3928	4904	chrome.exe	83
PID 4904 wrote to memory of 3928	4904	chrome.exe	83
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84
PID 4904 wrote to memory of 3180	4904	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/sample/0ecb6f595440040d3b91d220efba1be83db98201be5dbdc98eb1268439f17c4f/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1b2ccc40,0x7ffa1b2ccc4c,0x7ffa1b2ccc58
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,5094216467236993215,13823089869245941846,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1920,i,5094216467236993215,13823089869245941846,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,5094216467236993215,13823089869245941846,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2364 /prefetch:8
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,5094216467236993215,13823089869245941846,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,5094216467236993215,13823089869245941846,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4344,i,5094216467236993215,13823089869245941846,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4348 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,5094216467236993215,13823089869245941846,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3188,i,5094216467236993215,13823089869245941846,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3112 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3508

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1424

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\0ecb6f595440040d3b91d220efba1be83db98201be5dbdc98eb1268439f17c4f.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4888

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:996
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  PID:3076

C:\Users\Admin\Desktop\a\client32.exe
"C:\Users\Admin\Desktop\a\client32.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3924

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UseGet.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:584

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
9e466b4837d8431be725d6b9c1b4d9ef

SHA1
3f247b7c89985a41d839cad351cd0fc182fcb284

SHA256
2f9a5eeb5ac8cec52a3e73621e4d392f501f5d657dfec3215ccd40eec317208d

SHA512
01de0fda555d63b5c38339b0f6d38c28de2a882643439679e63cf5d75f13516b57dc90e8dfb8c638bda328fc12342e58d1e501acec8f85b92dbd5589dac06418

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
960B

MD5
16846df493521e84fe47cd6b6451ec8f

SHA1
6d99eb017c5aec08d3a7e908bbd4a051ce250c02

SHA256
69f19f2ab2f3625faca623477864766ab1ef3a21712bc892d7b2b0886585b3f9

SHA512
aefa5121601b8273cff6b79b7f76417c71e29e835b66faf3e1a67d0d38fb9ebe90320b75493fd5c4a2d9ea3e3c485d0a84bcdbfb78c26a8ecee3175cd8bd93cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4f9a3d657bec2b3a475e36b28afc1b3a

SHA1
a47e89a6cbb156e14a9a7fdf763d6c1b9fe9d4f9

SHA256
add491c59fd7ff9c40cfca0c06c24cb11c9c1c0c817307b131a825616f4bfb35

SHA512
63d0f0bd4c624e3b1a6c81bff66f8af6a41457a82796aa0902fcecfbe64a87ee7c7bdd49e09513b622e2d36a199ef9f4ca8f0040b3a1ecc0348512feb3487be0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
ce98d691ea3ee88c41537cd906a38a66

SHA1
311cd0976d2695d1a91067fdeb1c2942bdfcaf3c

SHA256
de29368fe2fd209d2d1c9ef2e8ac8f7ace8d1c06ece11d1f618811e30cef0320

SHA512
3536e187c43390996c94ee06c9dfccfdc3ea4c58f706abb1e4e96bcb8138e0c0dd8194ae7d6981ecc1b10e47aad40c34ea265eb207ed9fff530b257c119c5743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
03e8db7a73d1c7948448168cdd71bc80

SHA1
7f58e848d18bcecacedc6750c7a878abcf8f0481

SHA256
a5def22b6a7a60bd6f82aa0375af4126811a7c3d3420a65780845277d1be8449

SHA512
6552638eae29fbd453cfbef50ae959b63ee4b78227a78c8e789f7e90bad03560dc94a770a4e529be959b62225299a9c9519a8b3cfc460e8c049e4ebfff8f86a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
2efa770501f7a490c8fc7ef13e5c8a61

SHA1
8c1ca2bbbbf5f7ca5534429eec5c554fd0df15ef

SHA256
89e518f75d5118e669774ce9e30eab75c0f38525af5070fbe7aaed9cbfe4633c

SHA512
5dab6e7d1af93fda74d35eb9002232f3d977a36f86092166eede23cdcb3ae4eca10717f6bb2c8d8c0fe27d6b30ad32c944fbb9109eb791422af46a156e76ae9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
0955c147ba34cf308d78004979b52946

SHA1
7c18cea703f78236514cab588212e612782b5ba0

SHA256
fb86a42df753b54326f123e3c3f936a7a615c0884130faf80978778c303d307b

SHA512
024c92aeead5e2b453f25ad79d001dd39d12adbfdc8ae0023d80abfe4024a14408c070b3705648c3c45dfc88c0b9c4c3722fff42b8fa71543640a0836f315f1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2fe3b773be39d368cc29903a303c6d4e

SHA1
154888d0db635ddf38d41f60267a47028c09429a

SHA256
1577baf5d91a2ab8a6cf37594a5a3dc46cc36e85361e4c66d4c890ed962688b6

SHA512
a335b09fac9757068792a6c7d1a344fecb74b4f7391edc76f417d387fcc1843fd7484fd18185830f5949c768286525e2b6b607ca83b54a909def4ad6f849868c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
195c8bf6a7ad7e006711a95a8a6285b9

SHA1
d7add2b7dd0c4c373cb683c10cdfa3e35d5f5922

SHA256
e83334f23e716f18988a7fd463da0578815e51d159a994e9f503a56ccb208e37

SHA512
d46421ef3b06628689a63504878dbd23fc7bb7f584960dafe4428c4f975d900b53488d5cda515674ab448f079d7a552ce16ab459a6c93db0b5e8495d88c2631e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
62441b22a4ff53e1d391f9f133819c64

SHA1
cd1fdc6aaa603b4527757184bbb6b069f29dbab4

SHA256
c01e12957886551512fa100b69e75b0509c7e1af56aa1391c8d53e52cecd02bb

SHA512
48c15e7c5e508c4affd1aed1a19a5a19bde7d0053a09cee802ff4c8ee588649ac9ad637a8faeea7b332dcb1992c7059341646a535718bf893051550ffec3d20e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
3f341a7c1dfa98cec0cd53940da69034

SHA1
7917c4bf5250f250ff41763159d6faac27364232

SHA256
be6c8b5ed55bab2eded190756c1a1832815c0cbdefd7a6b9fe77ad94e25a1183

SHA512
8ac616bb06937b519fa0d0d6e4d60571fcfcc6d5ac0db409013312655769dd485aa8015e062a6e90e9f3ab955782e01af2c55cdd2f958d8d0166e79390b647d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
44fc56b16fafc6bf6f8acd74196930b5

SHA1
e6ce1ba2436e53dee45e2efa3972712f6128bde8

SHA256
2f9f0e3e66744dbdf5cb9047beeedf4102994b7fc8a9ea0049025ddc2e988f04

SHA512
008eb09d479693e7daacada1175503178a79ce585827eefe90ec6ec7247df13478ceca9d37d1682c50ddbea6765928fd7e8151a557261a58eb2e1cf14f1de0ad

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
eed1599235b9dd933e13cbd5751d7eec

SHA1
d461f7edc8bdb31b672f97b18d34e38bb7c96c4b

SHA256
13ee96f0fd8b45de1603cea7aa86ddaa749ea580989d6cb806d944f3547fbf43

SHA512
9679690676ef1ede8030e26359381a092eaec7cb671d51e91d8cd446006301bcb98518b977fd5d475e777baa11dd28e69135c517e3b3d74475134bfed4e8da9e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
88c83953edf8df304c61067c2ef6ea08

SHA1
b82b925968af806f4f8d4f6d84e60bdba5d6a6d6

SHA256
e3162b49b8537965feb00b240a8ab0b4dea0208c05d118bc135ec9dc47a5e677

SHA512
c2e263942fa3fa857bce67c7e907d09c05703ef21ec0cad0251707ea8b46bf76b3a9b3cbdb390642ea9ff1ed62b7be3b81fc4d2f106ef063242abb2420ed9f1f

Download Submit
C:\Users\Admin\Desktop\a\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\Desktop\a\NSM.LIC

Filesize
195B

MD5
e9609072de9c29dc1963be208948ba44

SHA1
03bbe27d0d1ba651ff43363587d3d6d2e170060f

SHA256
dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747

SHA512
f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0

Download Submit
C:\Users\Admin\Desktop\a\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\Users\Admin\Desktop\a\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\Desktop\a\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\Desktop\a\client32.ini

Filesize
672B

MD5
b6986c652c703435cb96f5f2b875e90e

SHA1
6c4c7c4a4fcf6c68e3a3cfe104014c41683cdb19

SHA256
96388d638998a67b2913999b35fc8cee88a978caa8d16b76910d499b10a9e8be

SHA512
01095a8f7f9f4dcc40793ee7dc9378b95d3c36cca4f7163f28c8c4ba279aa5c46ad93c6ae57fcc6ae779b43ace25f57181c684fd4de8f11e9700eb7a5a4cf6a7

Download Submit
C:\Users\Admin\Desktop\a\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\Desktop\a\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\Users\Admin\Downloads\0ecb6f595440040d3b91d220efba1be83db98201be5dbdc98eb1268439f17c4f.zip

Filesize
2.2MB

MD5
bbfbef776856619c9904fedebb701ed5

SHA1
75f0d36e3151ad46bcefa2758d0376fa15692514

SHA256
31b7ce7fc29c2bc2fc8eabb67faebb4750468d27fbddd8a0c036444a4f06b8f3

SHA512
efbdcd7ba5059a5a7f6ffec8330627c1311b75469c9dc84500fe8762f9bbac1e3d231e3acf0deaca1233128cbf93d8757cd1701b237feae0f09c9f6959e844bd

Download Submit
C:\Users\Admin\Downloads\0ecb6f595440040d3b91d220efba1be83db98201be5dbdc98eb1268439f17c4f.zip:Zone.Identifier

Filesize
138B

MD5
fa0090ef1fbd2c3b057330cff6eecc35

SHA1
d8a2ea79666b54cfdc2359fde8fb044d12da85f2

SHA256
ae05382f39dedaba4a400a11907c388cc08f57167d3019b9e2bc32c79be64d29

SHA512
887b0192e106692bbf2b9f18c38eb432fe6d5039957f746931838e36abf1c33d700cbcd3b5845870e80216e998c17ea3c7cbfc81615d3d5735ae119e69346083

Download Submit
memory/996-270-0x000001BD259D0000-0x000001BD259D1000-memory.dmp

Filesize
4KB

Download
memory/996-274-0x000001BD259D0000-0x000001BD259D1000-memory.dmp

Filesize
4KB

Download
memory/996-275-0x000001BD259D0000-0x000001BD259D1000-memory.dmp

Filesize
4KB

Download
memory/996-276-0x000001BD259D0000-0x000001BD259D1000-memory.dmp

Filesize
4KB

Download
memory/996-277-0x000001BD259D0000-0x000001BD259D1000-memory.dmp

Filesize
4KB

Download
memory/996-278-0x000001BD259D0000-0x000001BD259D1000-memory.dmp

Filesize
4KB

Download
memory/996-279-0x000001BD259D0000-0x000001BD259D1000-memory.dmp

Filesize
4KB

Download
memory/996-280-0x000001BD259D0000-0x000001BD259D1000-memory.dmp

Filesize
4KB

Download
memory/996-268-0x000001BD259D0000-0x000001BD259D1000-memory.dmp

Filesize
4KB

Download
memory/996-269-0x000001BD259D0000-0x000001BD259D1000-memory.dmp

Filesize
4KB

Download