hxxps://mega[.]nz/file/YuEGjIIL#_MtErju-IlgEMvZ8nbR31fYy_4aachqmSiYQicpoheU

Analysis

max time kernel
74s
max time network
76s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/YuEGjIIL#_MtErju-IlgEMvZ8nbR31fYy_4aachqmSiYQicpoheU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2320	UnRAR.exe

Loads dropped DLL 12 IoCs

pid	Process
4900	MsiExec.exe
4900	MsiExec.exe
4900	MsiExec.exe
4900	MsiExec.exe
4900	MsiExec.exe
4900	MsiExec.exe
4900	MsiExec.exe
4900	MsiExec.exe
4900	MsiExec.exe
4900	MsiExec.exe
4900	MsiExec.exe
4900	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
64	4900	MsiExec.exe
66	4900	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6806.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EDA045BA-1266-48B4-8248-F7F54DB503CB}	msiexec.exe
File created	C:\Windows\Installer\e585a60.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5DA0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5DFF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CD9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI989E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e585a60.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D22.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6709.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI67B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e585a64.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C45.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CE2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6758.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5AEC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E2E.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133732770602029430"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1924	chrome.exe
1924	chrome.exe
644	msiexec.exe
644	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1924	chrome.exe
1924	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: 33	1568	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1568	AUDIODG.EXE
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeShutdownPrivilege	1924	chrome.exe
Token: SeCreatePagefilePrivilege	1924	chrome.exe
Token: SeRestorePrivilege	3956	7zG.exe
Token: 35	3956	7zG.exe
Token: SeSecurityPrivilege	3956	7zG.exe
Token: SeSecurityPrivilege	3956	7zG.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
3956	7zG.exe
4360	msiexec.exe
4360	msiexec.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1340	1924	chrome.exe	83
PID 1924 wrote to memory of 1340	1924	chrome.exe	83
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 4420	1924	chrome.exe	85
PID 1924 wrote to memory of 1824	1924	chrome.exe	86
PID 1924 wrote to memory of 1824	1924	chrome.exe	86
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87
PID 1924 wrote to memory of 1036	1924	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/YuEGjIIL#_MtErju-IlgEMvZ8nbR31fYy_4aachqmSiYQicpoheU
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffec777cc40,0x7ffec777cc4c,0x7ffec777cc58
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,17613470655736888346,2598043247934753346,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1872,i,17613470655736888346,2598043247934753346,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,17613470655736888346,2598043247934753346,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2412 /prefetch:8
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,17613470655736888346,2598043247934753346,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,17613470655736888346,2598043247934753346,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4996,i,17613470655736888346,2598043247934753346,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4804,i,17613470655736888346,2598043247934753346,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4592,i,17613470655736888346,2598043247934753346,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:3796

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x4dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2996

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\v.1.6.5__x64__app__\" -spe -an -ai#7zMap28880:100:7zEvent5299
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3956

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\v.1.6.5__x64__app__\v.1.6.5__x64__.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4360

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:644
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CEBFC981D2E1286483333C85DAF6375F
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:4900
- C:\Users\Admin\AppData\Roaming\Tiqs Via Q\KcozApp\UnRAR.exe
  "C:\Users\Admin\AppData\Roaming\Tiqs Via Q\KcozApp\UnRAR.exe" x -p "C:\Users\Admin\AppData\Roaming\Tiqs Via Q\KcozApp\kafkjo.rar" "C:\Users\Admin\AppData\Roaming\Tiqs Via Q\KcozApp\"
  2⤵
  - Executes dropped EXE
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e585a63.rbs

Filesize
340KB

MD5
6a1eaafc421b4ed08c8904971663be3e

SHA1
6efe7c9c5064a15d58730e76414760c341c88bb8

SHA256
920cca5ef4ef0afb3c796f7941a87f1f50945f1cb3b97bd8ebda85c781b0f5c4

SHA512
ffc562f412d7c0e025613845aae2a61010453424d51def3f3f06f7cc675beb37ad05f07ed0399e78480d90908d1877b9ba2227644739e2c92e334e1adac264fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
99428be55f43b8dacdedeb8fc6fbfbb8

SHA1
e1b92dd76d171f83f6bd9a79213e968cfbc2f8ec

SHA256
49df96fac526b1827b4aec779332776d1ce8389f6cc88bae1ebea8271a00c182

SHA512
4d9f13ecf599aea28c8ad803ad7dffd4c47d15b3f64076fd2f115bd3fa1f9e5cd15ed50cd913db057d60176ec0617154e73e06efaa8ca269038175deb6034f6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
49e1b95fd2f67a12810bb238c85457c7

SHA1
23186a314311bfaf0cfd50e761234b2be94baf2a

SHA256
56a7f02a43f3c0a89e8e1ab3cc5117790f241a4ce0ad8192f5df44074a97b79d

SHA512
b824394db2a9e3e9a80113ace456d441c935d4e7003c3ad740f2bf1b197865083b511356c3fe6d74defd3f64b9192107ec2bc75be9de2bfde28ce47e4ebfe119

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
f22656193e862f4500203352604ea7ec

SHA1
2b09be87140bb8a8300e8851d943d4f4fdb4d810

SHA256
ee79527e47e44dcd71fdb2c58d1963bbdf92155dcf3a90f4d656cb70f7d09624

SHA512
d1e8560f28e4324cfe66719481d3a6dbbfe0558a3d41bc59e7a88f74951ca78c31bb4a2b40cec52d39059d95a4415c35bea02d0dcfe8edab9906c49122993fdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
09bbfbf379a9bbef11bb0da417edd992

SHA1
71c90afd32dc048606e657e0a7ed9ce2c3f074e3

SHA256
022758d3d49287df3c73e24c2786ebf604fe4125875c2344f0236bb2a59f3f25

SHA512
298f98f384430dc67c9003840e0f59f25c4b095e02e93977b40100414b6736e252b71638695f84051bd16e61f731ee1f0aa61991d340e7a5a52bdc53840eb19e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2b7e992c817d710fe8f65e7d627eaf21

SHA1
9ed9ae6067c7cdcf08ff09847c4b5a4c5e864018

SHA256
d5b1d19ad66abe2560e5715ffe00b22d44847205c390a35b372fab0296626ffa

SHA512
61eab256a1f83fe5ba0121beecbecbb58128209ee06d71d24107912eb610ee3ba527bf74c901d29845cf33e2113d3425930d54f9dd59a0bae67e110fff845958

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
a90690a12184ec43e25a1038b14e426e

SHA1
2b6414718f356c326870fd39d46c591e64a32592

SHA256
753f8efda74acebd59304d54e220a24110ae9b33ed7edacf402b3cf4b1beaca3

SHA512
b3789eb73dd070f746667ad940549aae667f6d745cbdeb6d02f1d1ff47fe4bbeb1a500564368a353ceedb8542c98408ee20761e6fe4b83490dc79bde0fadde6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
428ccfb0207e9d9c9c3ece7993a366aa

SHA1
a898716143cdc6c80f317a8f20dbc3a286442d9b

SHA256
68ec062bd8857993d8f8ee0f4c55cd336464465f716b62b4f1b1a6c35acf235d

SHA512
6885d38ce5f38b053ee231aef08496dae38ac6e88b6bf09e3948d552961543ffdc095de0283572dffbcd45dbd6df9869d555ae88f0c338301909ef1fd3ca9b64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ec347627-4ac9-43f8-bdf8-ea08a48e9aec.tmp

Filesize
116KB

MD5
e0c80382cffdac4c18bf52ca7781f29d

SHA1
d24441dd0452cc1b077ea143a14033ed4e694fae

SHA256
cc7d3e8c9ee80a4ec3bf85fb9f428be51847ae55691164bc6335374cecae037d

SHA512
fad0fb77cab450090c768fd937b0d7b282395563eacb6abd7a471d2c7d4dacbb320830232fc1d3adf46be57d3a8c56d5694777b6f50d7c4dd8aca811683d68f6

Download Submit
C:\Users\Admin\AppData\Roaming\Tiqs Via Q\KcozApp\UnRAR.exe

Filesize
494KB

MD5
98ccd44353f7bc5bad1bc6ba9ae0cd68

SHA1
76a4e5bf8d298800c886d29f85ee629e7726052d

SHA256
e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

SHA512
d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

Download Submit
C:\Users\Admin\AppData\Roaming\Tiqs Via Q\KcozApp\kafkjo.rar

Filesize
300KB

MD5
fd12642e860b732bc64c3292ce88b2a0

SHA1
b72c301132cc1d0f54aafdcde3d72ed0932e1166

SHA256
0b0a339900206aca1c16198ae6021009e7bfeed389276b85e69f6c1b6e16c0f5

SHA512
5603e6f9941022e1622510e755fbf5eea5b916924824ef479cb61a2bfdbeff61d23b424a589c6c8df8db3c72df313653bcc1270a58c0726aa2c3f3ad8d3926e1

Download Submit
C:\Users\Admin\Downloads\v.1.6.5__x64__app__.zip

Filesize
48.3MB

MD5
6fb81f66d847bc8c77e042abf7ac5f7c

SHA1
a5fa093f8de7518fddef4cad19a8721d85eda042

SHA256
49cc64fa9aa2f9f30adb681e647db4eb1c8206fc56d05b78d755a879c3ff5e25

SHA512
f6a5963e3fbd9337c8fd11e965ceb6982834706e1ac1ce23a3447beaa1eb43b1f9d5b34a10294b23f3723a5f3deb4806733d5fa201ca29680447766dae819504

Download Submit
C:\Windows\Installer\MSI5AEC.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSI5DA0.tmp

Filesize
870KB

MD5
6119e62d8047032a715ba0670fc476c5

SHA1
52e639024460bf111c469e95fb011c07d6fc89e8

SHA256
bc31f85266df2cdfdbe22149937105388fa3adc17e3646fa4a167736e819af77

SHA512
e7301fa21f01f7f7562b853e9bb246ed051951e3cef152bb0b3558d4863f141edbbc0c4d439c30f51f9997805490f131a5e4cd00872b61ccb08ba9d200f811d8

Download Submit
C:\Windows\Installer\MSI5DFF.tmp

Filesize
1.1MB

MD5
1a2b237796742c26b11a008d0b175e29

SHA1
cfd5affcfb3b6fd407e58dfc7187fad4f186ea18

SHA256
81e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730

SHA512
3135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5

Download Submit
C:\Windows\Installer\MSI6758.tmp

Filesize
314KB

MD5
61123cbc153cb7f178ddbb318a7ea000

SHA1
0cfb1faa4c166d2a335ee62b05dd62b730ded9d6

SHA256
e5e0183dfd9f65406042762c0427bbcff010402b9934dadd2bddbb6c382d625c

SHA512
3249f814c9e4c472b5962ab159729bb44e28314e2e402abf4b5ec6789cb729192b662c948d362fa71f4284038544e4fdbb8f6d55b6ec0fb92c4de04840a15926

Download Submit
C:\Windows\Installer\MSI6806.tmp

Filesize
364KB

MD5
54d74546c6afe67b3d118c3c477c159a

SHA1
957f08beb7e27e657cd83d8ee50388b887935fae

SHA256
f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

SHA512
d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

Download Submit