fc2cb33d4a9b11d1effc52e0281464abe87112b9b47378f1dee3ff728b5751d8

Resubmissions

28/09/2024, 07:56

240928-js35ravdmk 7

28/09/2024, 07:48

240928-jm4t4avaqj 7

Analysis

max time kernel
146s
max time network
317s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 07:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

47.2MB
MD5

851eaed1e935b78977930ceaa82b87af
SHA1

cd764ca043df6413a375b9083218c7a4f89a8895
SHA256

fc2cb33d4a9b11d1effc52e0281464abe87112b9b47378f1dee3ff728b5751d8
SHA512

ba5143ebd4715a5a45afd783fa25dafb352a59aa86baeb1636dc41dd180e254854681b8357a493385a542ef1fce4393210781e9930479a5a3f49347dedea84cb
SSDEEP

786432:BJ2egoCZWRPnp5jLEaTl4BG9VZ4wIXPCbll33xPY7vky4K1rs9Iq48xFKfijSVck:BxGZ8pZLEaTAyIXPO3Bw7sy4K1eZ48xa

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2524	setup.exe
2524	setup.exe
2524	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.TileSet	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2v	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Music	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Strings	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Data\ = "Jazz2 Data File"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2v\ = "Jazz2.Video"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Music\ = "Jazz2 Music File"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2a\ = "Jazz2.Anims"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Macro\ = "Jazz2 Recorded Macro"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Video\ = "Jazz2 Cinematic File"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Anims\ = "Jazz2 Animation Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.TileSet\ = "Jazz2 Tile Set"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Strings\ = "Jazz2 Language Data"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2l\ = "Jazz2.Level"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2a	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Episode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Data	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Episode\ = "Jazz2 Episode File"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2m	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Macro	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.HiScores\ = "Jazz2 High Scores"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2l	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2t	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2d\ = "Jazz2.Data"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.HiScores	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Video	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Anims	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2t\ = "Jazz2.TileSet"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2e\ = "Jazz2.Episode"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2b	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2b\ = "Jazz2.Music"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2s\ = "Jazz2.Strings"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2d	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Level	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jazz2.Level\ = "Jazz2 Level File"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2m\ = "Jazz2.Macro"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2h\ = "Jazz2.HiScores"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2h	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.j2s	setup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3024	chrome.exe
3024	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2524	setup.exe
Token: SeBackupPrivilege	2524	setup.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1096	3024	chrome.exe	32
PID 3024 wrote to memory of 1096	3024	chrome.exe	32
PID 3024 wrote to memory of 1096	3024	chrome.exe	32
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 748	3024	chrome.exe	34
PID 3024 wrote to memory of 688	3024	chrome.exe	35
PID 3024 wrote to memory of 688	3024	chrome.exe	35
PID 3024 wrote to memory of 688	3024	chrome.exe	35
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36
PID 3024 wrote to memory of 2572	3024	chrome.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7319758,0x7fef7319768,0x7fef7319778
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1228,i,2013206417707143485,14156938706794392535,131072 /prefetch:2
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1452 --field-trial-handle=1228,i,2013206417707143485,14156938706794392535,131072 /prefetch:8
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1228,i,2013206417707143485,14156938706794392535,131072 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2276 --field-trial-handle=1228,i,2013206417707143485,14156938706794392535,131072 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2284 --field-trial-handle=1228,i,2013206417707143485,14156938706794392535,131072 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2860 --field-trial-handle=1228,i,2013206417707143485,14156938706794392535,131072 /prefetch:2
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1532 --field-trial-handle=1228,i,2013206417707143485,14156938706794392535,131072 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3140 --field-trial-handle=1228,i,2013206417707143485,14156938706794392535,131072 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3600 --field-trial-handle=1228,i,2013206417707143485,14156938706794392535,131072 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 --field-trial-handle=1228,i,2013206417707143485,14156938706794392535,131072 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2508
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140317688,0x140317698,0x1403176a8
    3⤵
    PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3764 --field-trial-handle=1228,i,2013206417707143485,14156938706794392535,131072 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3808 --field-trial-handle=1228,i,2013206417707143485,14156938706794392535,131072 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 --field-trial-handle=1228,i,2013206417707143485,14156938706794392535,131072 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3796 --field-trial-handle=1228,i,2013206417707143485,14156938706794392535,131072 /prefetch:8
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=868 --field-trial-handle=1228,i,2013206417707143485,14156938706794392535,131072 /prefetch:8
  2⤵
  PID:1648

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\Temp1_plus_install.zip\plus_install.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_plus_install.zip\plus_install.exe"
1⤵
PID:2836
- C:\Games\Jazz2\plusifier.exe
  "C:\Games\Jazz2\plusifier.exe" Jazz2.exe Jazz2.exe
  2⤵
  PID:2604

C:\Games\Jazz2\Jazz2.exe
"C:\Games\Jazz2\Jazz2.exe"
1⤵
PID:2084

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c
1⤵
PID:2784

C:\Games\Jazz2\Jazz2.exe
"C:\Games\Jazz2\Jazz2.exe"
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Games\Jazz2\Anims.j2a

Filesize
9.2MB

MD5
b6b2b2511354e09cbc4fb957f12bf49f

SHA1
0362180aa245119ce9244cc162a3ef6defaf6ca2

SHA256
8437cc1d8f10e590d1eb63461d1bfe4b77eb9bc5593d78ac23417e81e375360b

SHA512
1d6d4553f86ebeef0a97fa12e610b8a8ff06ce141b53f7fb4514602bb92d4df88cc6e1089dede41b883ee8332789bb49305ca64c6b8365bcce8398251901e70c

Download Submit
C:\Games\Jazz2\BASS.DLL

Filesize
109KB

MD5
36946ab0740fa086bfc8b8a86260eee9

SHA1
57e154464dd247f14ec90de065d7be685dcc1293

SHA256
9ac13f9bc5564fd8a1eab5f7c945dce1c27940dd63a913108eac64481ddde6af

SHA512
51a090119c36f19c8b008d52f1faf76ee1d511e151df777c577cf91da84300a8474d7e17004e3f374434b2d16eb1da3cfaee853e47528f9a1f6fb8bab71ed3e1

Download Submit
C:\Games\Jazz2\BanList.lst

Filesize
796B

MD5
7668b7e4c6c00cc078f21edd03419b59

SHA1
26308c73e54866c1e2aa60bbef3d0a497e3a0d69

SHA256
3658d0ebd7cf1c86fd929f8b450fc6895e843c381ece722e84b344f177d9b7d0

SHA512
86618b7a26a93aee3ee0e01087f793e691202264f453fdcd92a6cf906fb2870787d900b51c77959505114e57522209dc3161c2d46f4a0c6d551545c3215f1239

Download Submit
C:\Games\Jazz2\Data.j2d

Filesize
1.2MB

MD5
e5521da053287c0c957d1198297bcb2d

SHA1
680dd3b6a8d0f0584c3230595f4382880777b359

SHA256
4195a9c904dc7f0716897243bb6638410b420b7b6cb030b56ebce09b75bbef21

SHA512
872608277eb4f7a0a8cecf31ab10f0beb98ea6a5876081e92628c6464e9ee61f09c6820778cb1cef2f31da0b223068f044d0f481c4ee83e6f37b9de7cc407f95

Download Submit
C:\Games\Jazz2\ENGLISH.J2S

Filesize
10KB

MD5
c90d6492858c0c106d6e93c18a63b82d

SHA1
8730afd624a2199459ee6ba5f1a24d047d28333b

SHA256
05e4e843e8044e3cff99355b8a7605a629482d4d95e6d753bd39defd1dc93f83

SHA512
f579821f6284f15c4895d79a56158505561cd58ab762eae096d412ee3d451527a81c04a9c7dba82d0f22c9e7550dec59386379a013ceaaa5200ce89aa5608449

Download Submit
C:\Games\Jazz2\FILTER.LST

Filesize
517B

MD5
20d9ac18a5f11129f17581c3fdcf43a7

SHA1
5ec701a3bcd955d5879d2d4ea6f9e64eb4fb6e03

SHA256
8fee21a4098a6d341083571bff4c97b95ead12e07d364887a69a7538986644b1

SHA512
69967a141e15433cd4cdcdbb8b67bd7dce2a2b864da40f86a16027a9ed49e665415bc7db5cf2960b0aaa06e9d0d15287d585c4ec1c7dea545e2877b264d0d8ed

Download Submit
C:\Games\Jazz2\Intro.j2v

Filesize
4.8MB

MD5
6adfb21a9f6dd6db8a0f34aa68a02d35

SHA1
a701f52d7cb9b672e8b6b359c18a90da64c49053

SHA256
34819c25f55e2266d3debb0d70a70b64a6b84724b6eafff461648c4f68dcb89a

SHA512
3fc226f29943da5ec7a4bcc80c172819b753ebbcc28febed1c7421e3e8283495c41b3fab3707334efbf5482fcc816df7fcbcbed36a31b354a7bc81126273f72d

Download Submit
C:\Games\Jazz2\JCS.ini

Filesize
19KB

MD5
a311985ae84b065b3e5bb973413df31c

SHA1
cccecaf8f874dd1ac41ef09ef1a7d66dcbafaa99

SHA256
748c2b72400b88d30ec0891a38effd4a4e8f289494e7fb7b59f03c11e9324341

SHA512
a433a3c0ff80d97cb0fa165005bc134d069df30da75df2db03ce0df1734defc1b7266ea6ac5da434dbcc94bf552b9e28d67e305537c2473d183f0ea6acdae3e4

Download Submit
C:\Games\Jazz2\Jazz2.exe

Filesize
996KB

MD5
bb5c7ac9f18145ee7a3a1e937956247c

SHA1
9d68b8b714dba1139586ff98dbc8f256b0bce398

SHA256
a4b6b172bd5cf2e9eae46a8d78ea3f09c97602e1e700e586cb36d9a9b3241d8a

SHA512
96cb7367d35370d379c7dfb74ae5868ce18485dea523c085ed5353d8ac30fab49b1858d04ac85ee2cb8fd36aac76318b13c2f090ffc0b320908f2adf67231b0a

Download Submit
C:\Games\Jazz2\Jazz2.exe

Filesize
996KB

MD5
f5cd438ce5827e01d2911c2d5bf5f2d7

SHA1
9540f4df2647e0adde5cfb1b61ca893d854f31c8

SHA256
43580e391404cebaf1ba0ef69d51b05ec7c4784b3c83d45dc8a8596c63cc6100

SHA512
c394a3652fbda9c7d1a10d795d983e87d96722fe890b13650b014e0b6d76d60c139a60e7e90c8eb5de084ad39710066ee458cae818ec88fdc041f9928002686b

Download Submit
C:\Games\Jazz2\admin.ini-default

Filesize
2KB

MD5
cd904557121f41faac1594e652fabe41

SHA1
963fb7bd5ea237ff289dea3bf775d2695eacbe7f

SHA256
646c982cdf0ae3d36e8a89697df2849b2b1431dd37b12e203f3440ff31257b9a

SHA512
248938b6025e14963a3b1c8a2a8a86d7299e7e115c357d8c1dcdd629b7a6eaa94454482a3e77d1775375a4663a381f75c8fbab8c1c2116c94bb44bb571c310a9

Download Submit
C:\Games\Jazz2\jazz2.log

Filesize
401B

MD5
0706eccc393935535e201a90e5fc33bc

SHA1
25384ef68925598f95ffeb70dadf2e6aa5ce8f86

SHA256
bee971bc68d92f661f4e8e8bf859a461f5b2aca22bd131790dfc503af31e7ebd

SHA512
8ef5aa4c37d97b695647df7190fb61c9a415ad4e75556a19ef143c74a58fa4eb40c117ef36326ffe7ca0a177ea3451f6832f22291223f0eb26fe29e72c694fe9

Download Submit
C:\Games\Jazz2\plus.dll

Filesize
4.5MB

MD5
a38575bf20d3640fd242e98335275d79

SHA1
150e0456745c1351ef834b945e9cd478bb2acf86

SHA256
8ae27fdf417c5914c3c347a40ff59ae9ff34e9dc02eb79edf735bb571495937d

SHA512
d22e287bf222600f2f6e694dc5580e919713ef89540bc55551e79755ad91596ab8f0c883288b6b948f50dd2df1d7875d7048928745957a01624e6f9406609af0

Download Submit
C:\Games\Jazz2\plus.ini-default

Filesize
2KB

MD5
40d9caff43990e0addaf83de0e306519

SHA1
cebd7f03363a4a6c05cf8abe6c3e1127afeb0035

SHA256
6da9d3d99668b924524175517e34d2967169f615d924e31b40dbd153f727d025

SHA512
87f83faea7fa8181f61bf1245e4a503404282554385807b24083573006ab1f0959a3578854f414d0ee8c802274302020765d1712cc619c030cdac6235ab8895a

Download Submit
C:\Games\Jazz2\plusifier.exe

Filesize
220KB

MD5
955ead3a5a4b54f7ea6869cc453886a8

SHA1
bb42b8c3dfe9237d9249013ca339a0009b77159d

SHA256
bbc5d41709844dd5ff51c06da79b8fdc9aa7d68a76b0f8a7f1a7291ddf9e9305

SHA512
044927e46c7d3a37eda626cd0ae204401cb9a243de880c421dc6e1d876213ef2741d183c821af747a2410edda2123a05766a3ffaca49d38a3cfd7acf1da153ff

Download Submit
C:\Games\Jazz2\plusifier.log

Filesize
17B

MD5
25d1dea9fc93e42e07b18f23c9ff59cd

SHA1
5ace657d1a3b0d5aef8860c8a86fca028c4c6715

SHA256
9da7db90eb884a336ecba0ee08e8e55c250ba29007da9a4c6cde8e84ab3e11be

SHA512
cbeca6d6d94d6f81d62ab70a0d627c85bdc76a3a2977dd8dde14e9b8f7ad3c00c8d72616f74615e1067d7ba0e0421424d69ea74b5aa7875138cb6b8f9b143242

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
682B

MD5
20d9d8bd7b3680422109436d8da346dd

SHA1
7b22c58a2140bee6cc724bd900df0977c5d7bdad

SHA256
5517c3592ddf51dda22f6e226558a5d337b51673575cd67680c9625847cdc249

SHA512
3b7efb51893e28558b27e933521d013dc1cb404dcab7c809605853f57bf59bf0e6302a121e3a12a8cc520870053025ccc6be99703a12f88e3bebdbd01bd34173

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
daeecd089493f5dd6f33ee546e50b89b

SHA1
8d25b035650c7b596b0a5068c47d424cd4cd2837

SHA256
3d742580e763ec60eb4db0f890ed3a2740a2bd1a91832446e99f62a027d00385

SHA512
929e588e6e920e23a9a0d956c8511d652f72cb57c605152519155177fb93f20c9232369e2dd59870da50ecdcb911a2e3016ae0bd22a45c206374a7fa8f3b0706

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3cad8dd7170850beacb244ac39abb488

SHA1
54f49ac065b85f0f8e5570aed1681097568ab666

SHA256
e7342ce41263e8c7c625e02214b512af6729d63fe903ed91446fe45dc1b7e489

SHA512
fd750fbf85f4cd87b8b4ab00f1f2692790b023741cac309a4d430de07e9932910c9e29f9a7dc9f146f4d9e4cd3c6289f1a99570de8db8fda10914fc0e823496a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b0c0248f-0a63-4cd9-b3b0-7a152ec61a21.tmp

Filesize
6KB

MD5
5bbcfa27d9e897cf25ba88995e909be2

SHA1
56940ebe33e449c3d7330f45139fcdff8446a41d

SHA256
471cdd057d8306250a7474b930ab5951b3dfb41d0aeb6ec9fc2a6bebf2f97843

SHA512
21572c4866dc6391b64a9d8108ad5aa536a364530373bbadcb99e597484a7ef86c5606e44aa05d36c93121d6eeaf8b48c7a5ddbdf39e6ef4355a37546e29d0ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
77KB

MD5
3c0c13af1ae050afd8a2ad34de1933c6

SHA1
4a56e17be5ceeb314a2836c6707e2d2937332333

SHA256
b8ef0abeeb662cbafa22c13cb3dffa3710ab6d4c6f4a66ad85ed8955239219bb

SHA512
6ff0822fd2eaa9f82873ff69cc8d5c4b2eb856a7e8ae1e85f0a5eb5b5ad76d749a3f2d32f56f1012573e58e23493c7a5c43969dc9c5da5f82b38e0388bb0551c

Download Submit
C:\Users\Admin\Downloads\plus_install.zip.crdownload

Filesize
5.8MB

MD5
864a321b70bdbefe06ae8bdb0e3e12e4

SHA1
15b6b78ad501a2af9d1c678f703bd616a0dc221b

SHA256
fde13f46a949e786fe86383e65a6542fc71e5c0f031a313ad660af845c2652f0

SHA512
ad88c4e333ea720f29d72260a7e92ba5ff922312f499951b356a6c401253f3101c71cd5e3575f060c4fc0ad11709d4f02dd6db5c35390fb9b0bd6a0a9dc2e2ce

Download Submit
\Games\Jazz2\Jazz2.exe

Filesize
996KB

MD5
e9e39b75ded0b305703cf23e09eca972

SHA1
a38875d3fd075b53f0fc3d62e756ae9c79b48bc8

SHA256
d2ed97cb78921cc7f928414db6b194995f71396ddc0a6799f3772a46dcabd7e4

SHA512
6a63e924fe61296339d8d9a7928693ac7a6e4891eea1eda8687433f04b2918f57de5c5b734cd6893f95ccbc4715dcbf86484d64c5ad7beb0e544d396b1f8a069

Download Submit
\Games\Jazz2\Jcs.exe

Filesize
704KB

MD5
09936dbc7916eb065a8948e909fb59f2

SHA1
f6167c02ad7b5d01120f52462aaca5b2623ce81e

SHA256
08fcd7a3462fcbeaff5c40b793134ac15bef3586ab06b4bfca7549f3a8a88afb

SHA512
f9b4748da7c05a075154d5373b892bd71c5d513d1ca6fbdab1f060a756d987f1a7f0bb21ffbbedd9748721d1192cffa4ac5387bd1579fc36a4b9686a5802fd7c

Download Submit
\Games\Jazz2\UnInst.exe

Filesize
46KB

MD5
e40a4dbc896db8eec28e885e3cd647ee

SHA1
eaf3e96014d1e22d2ef8a4052785dc1ba58199c1

SHA256
3834612301db373a9eb6cd02e14b3b265e9be4eaf1590b583527dc6849399b14

SHA512
c06cff82add2722d0141d7bd1bb6caf0396a3bb93ca375414b3d416dbeccbc28b7b1b31af3a1df95a48f9d99a007f1421abbb62ae978ccc920927ef611c01cb1

Download Submit
\Users\Admin\AppData\Local\Temp\nsuF47D.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsuF47D.tmp\nsDialogs.dll

Filesize
9KB

MD5
b3070cf20db659fdfb3cb2ed38130e8d

SHA1
aa234b0620bebddde1414ff6b0840d883890b413

SHA256
f2c1409faf2952c1c91f4b5495158ef5c7d1a1db6eea4a18f163574bd52fcad0

SHA512
4849a4cf24ea8a26cd04eb132d479cc093d4e204ed3866a77646d03778f4c128e20722a0c3cd62ea98a37deea4ce505fe632420158c71a10b0c8c5e32b38e3f1

Download Submit
\Users\Admin\AppData\Local\Temp\nsuF47D.tmp\plus-nsis.dll

Filesize
243KB

MD5
7b3ae85890c4ced49e5bd534a7982994

SHA1
af29a2be2edbd806453d94e0e739e72911b05d28

SHA256
9efb57c5d237bc1f3aff052908a19e06d3ddce9755477825453efb159a822571

SHA512
83ef80af79aa89f8d537c2c7fe9f86a227cbe1c83c2ce65e849ec7165d44270844e36a3492e71658f71069a27524cf0c9769ad75e5b00f99f04ac58dfa429dea

Download Submit
memory/1580-515-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1580-519-0x0000000074190000-0x00000000741E0000-memory.dmp

Filesize
320KB

Download
memory/1580-516-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2084-497-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2084-502-0x00000000741A0000-0x00000000741F0000-memory.dmp

Filesize
320KB

Download
memory/2084-496-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download