a0d69f37d3ba0dc95cb0f3eaa9975a1ff418890a68c6393b3a9d2e7634d1b00b

Resubmissions

13/01/2025, 06:07

250113-gvkebasjeq 7

13/01/2025, 06:00

250113-gqadjs1qhr 7

13/01/2025, 05:49

250113-gh1krs1ndr 7

13/01/2025, 05:36

250113-galfwa1kdl 7

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2025, 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSample2.rar
Size

21.1MB
MD5

e4e8f137fcd5d8c8be5d87228a1e83ac
SHA1

a6ad110c747a40def97b5a4eb29fb35e4c299be7
SHA256

a0d69f37d3ba0dc95cb0f3eaa9975a1ff418890a68c6393b3a9d2e7634d1b00b
SHA512

20fff490f2e73457a06cf39cca57880741aab3714721d0a896770b0ee33b1a078f7eb209eed5cde019538f0ccfa3bd12f6ee6d76d7571346c76bc2d6bc545713
SSDEEP

393216:7Ma43eiU82dY4aPvkTCwie/akRForX96btuJxcZ7SYAnumlc:4aqeTNaPvkweD/8AtuCZ7SXucc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	S0FTWARE.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 2056	2644	S0FTWARE.exe	133

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0FTWARE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133812221665692478"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4036	chrome.exe
4036	chrome.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1692	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1692	7zFM.exe
Token: 35	1692	7zFM.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeSecurityPrivilege	1692	7zFM.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe
Token: SeCreatePagefilePrivilege	4036	chrome.exe
Token: SeShutdownPrivilege	4036	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1692	7zFM.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
1692	7zFM.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
4036	chrome.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4460	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 4632	4036	chrome.exe	101
PID 4036 wrote to memory of 4632	4036	chrome.exe	101
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2860	4036	chrome.exe	102
PID 4036 wrote to memory of 2424	4036	chrome.exe	103
PID 4036 wrote to memory of 2424	4036	chrome.exe	103
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104
PID 4036 wrote to memory of 1968	4036	chrome.exe	104

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\VirusSample2.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff4a39cc40,0x7fff4a39cc4c,0x7fff4a39cc58
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,17136308664808789231,2513198353021594541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2188,i,17136308664808789231,2513198353021594541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,17136308664808789231,2513198353021594541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,17136308664808789231,2513198353021594541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,17136308664808789231,2513198353021594541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3748,i,17136308664808789231,2513198353021594541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,17136308664808789231,2513198353021594541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,17136308664808789231,2513198353021594541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,17136308664808789231,2513198353021594541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,17136308664808789231,2513198353021594541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5160,i,17136308664808789231,2513198353021594541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5260,i,17136308664808789231,2513198353021594541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4868,i,17136308664808789231,2513198353021594541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5288 /prefetch:2
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5616,i,17136308664808789231,2513198353021594541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4444,i,17136308664808789231,2513198353021594541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:1612

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3948

C:\Users\Admin\Desktop\Setup\S0FTWARE.exe
"C:\Users\Admin\Desktop\Setup\S0FTWARE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2644
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2056

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c356d033ebea737f11fd943718bc9f5f

SHA1
1bb73f3d0210357f2d0c51015944621e7fab6194

SHA256
c9ab587b07c7649f77c29aa8ad7856fc6245e73e842f5cdef1dc1014b297f43b

SHA512
5489974c769462f25ace6e9f9f0549ebe36c5680ed7c5943415200813cfb56b342213501375f60bed04a999c93e52575b0867dd970f1fcb755ad8fce661dc211

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d4efeae648c18352ae8ccb1d75d07d06

SHA1
2208b628300d10be590055420025a988c054214f

SHA256
58f6d6c2dd15c0ce5803fd2bcaa6c4942b4ac5bd73a681ae905e0ee1ee5e55bf

SHA512
c3a7f49caa8e0643f50d8aac99f62a987433147c5f6d290900b1e82bed446396105075aa4f78dfbd53e67b93dde8983b18e13d26b6f06d8b73a46e4deffc8da3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e7a678c464e77bba480d48aec18ec12f

SHA1
b1625628d618453663d1bb031e6f2e9b341fe30e

SHA256
7de4f5a4d97ba2626bfe0c7899fcaf97c1e0da966247b55e6d7ea93add60e6fe

SHA512
531d136eec4d5c7884364b28f38a00537424b5b6a4dd6a368411771b2045ce5419d1e912f9b0ea8171f07856019cf909152a9f06793a97ae43782f488b7d77e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f7d028e1aabfc4ad8d4f8ff8bf8fd080

SHA1
411789558f1915eb4d85dcc9dbc47229f361fdf8

SHA256
0c2ab1418a2487c0c670a5079d44f075540c206067a233d933345f57758f10ba

SHA512
3c0abd4d5c5e0e45efb00116175ed68e55cc411e1dd93e4546c0ba9983f055f0068e9e2892f8e57dfc8b7b4885cd4c2dd123250ac5206ddf1da99e60dd71c4ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
33e343b1d58a2568eced862008d4749c

SHA1
8ce7697db494228078948d31172ee602910660ee

SHA256
5f44909203f3fc1222acadb80fb0690192c993f562933601f9c9dfcb5927a74f

SHA512
313777a54e12c9b6540475b10f92d5045ec7f524d5d56eab7e5057a7c77eb87841d5b41a24a013d9967d700707089132c0b00e3687da93e2a15520b2870a85fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
75cea792411b85d424fa80c633073353

SHA1
1b15171fce6a15dc8e7a9b790b628b7f42b060bb

SHA256
6a798341a76ed471f96603c1f766d661972ef38ec30bf0b5603b975fcfc755d9

SHA512
b9578a9f46d7ba34cddb53e422ebac64d68a474e0e2fae7546d864feeb79eeb112551e696077c29678ecc6f77ffcbeb3c3f35d7d04e74097178d88ca5ac8e89f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
23de3fb63325a6f4d0e4ec7b5d7e031a

SHA1
e1e78ee3b2f9085b44d2eb9474bbdb7b87131da5

SHA256
fae69854330ff02f630baedba01a4e92ef37728df990793b2219b53905697dd1

SHA512
58b0ab3d55035085f721b968467ac81257cc26bab349ab8b5a086101b904e4c0e8ba1d91d263133107940f0056b0f689205bb3e19228c8674b7dab63a236851a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
46ab3ec0c9e2fb0d7dd47505ee8b0657

SHA1
03a9620ded7175cad70d070dbe8c3709603ca294

SHA256
0beb5ac39e7421b85d0456ea8ffd8c96e248e5d20450b81aba3de99ff3e31dd0

SHA512
2ea395e1dd95b2fd11aefbf0864f328ae89c99a7c0c14d2e583b7837c3e212dc204516a93f0ad2e185f2738652bebba5a86f7ea8b3f8f9348fc8c078cc2aa27b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed3199ff6005d4cf0f235150a7de9f76

SHA1
f673b88411bd8c31a703fd91fcdce966484f8b5e

SHA256
8e3a2068c180149f6994ddb33fb6c74f0e272002f3a98eb8171dab66d04692c5

SHA512
28ead99e90623cacb27bb12f118dc03d1006e25c2642d1ae745cf6551bd2a5a585080ed9ffe30eff5957a5096eca4989896d57229d4bba7f0c1f42e772d65da0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17e23036b925de39216cda42799bd80e

SHA1
fda03816206285964ba5fe27108abe8d0ee59207

SHA256
a52342db3492f79f3e34780a557a009e1ad6d5f2724063b50b6b6ac02555996f

SHA512
911e97964f3b8917f3a0760a61c9573211ecf541a189c11cbf452ceaeff73a324d2d6066f14d62690d021ebdf54257f115f992675fc202ce4be66ef4e4d5d04c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a737997e7cf0b6c669ab5bdc8026fe7

SHA1
ebf1b69bcf765781ff057399adfd16ed4e90af9e

SHA256
455d8b4a55c627b2e5301abd91759c741d92ca5943eee3c2c81c8454de00c27e

SHA512
283c413c4338366ccde53af743afc035b70711ad9d777cdc3f981e542e38083829f0a5cc37103b2619bd762de49c5065c7393f401443ce4e9849ec9aa7739a5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
fa79c8e1397779449aa428abfb24cd85

SHA1
fd71affa5b4f706a058a1167d07f80fa226a84bf

SHA256
837aaf3e9dca056dad09c86bc745b9e8a531c6a91d17fc8df17d704f312030a8

SHA512
95c7d020062694b463dc984b2a76af7d4c185b6ad102a90d542a4185f3c0aad09b48d8876d9a099480599e7003c5367e988860040e4f7419e76068d3c6ffed98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
0f4e7975eafbecf6ae9f84cb123c6df2

SHA1
e7783699189b6aa64c10e9826d00fc18388aedd2

SHA256
a90af9d9001a6a0215fcdffe9b8bd66ab3f5d7566e8c50bae7a7048d092da81b

SHA512
88febbc60f361ab00750722e0510eb8c3afe9a9fb960c37823b7e95335532210164b64c5a4893bb3bea2d8cd847cd2eae4e9d344d3a3e225a15082265b7536e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
26c896aafe930bb21c4cccf387506210

SHA1
512764621211a575c72aa016858e16cb17f6d6e0

SHA256
e5295e3489d34be1961b3c6dee25545e61fb5959d33b9737bf7835ef7cdcb224

SHA512
7bd2b87a6917792346f04520023c216700bee57c7f3e3305bcce30c44e3a2e68996f2f4c4fe9bf37c08a20beee2f554f2feb4f784991fe81acae17104a45090b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
feb532221747bf1ddb8ded952ecd885c

SHA1
23f1cd39b6d39cd004ab13a902f717beac3d8d71

SHA256
11c05162237f0f179fa7e39618a3032bb05df291e5bbe539c92246b251020b7b

SHA512
1d6b707d10d6fc60d7ec095e9f84f2a32ca5b59db69ccfdb81b1722a4b170c60c4eb0f4132dfd8a6a6e3ee8368ffd2fd868a813d2f01051df5d6ec7f5cf6797c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
e0ee4bcffc5a063bd9b6095e810f646a

SHA1
73b60819ca07c60dc1b53eb9f117962b92698e40

SHA256
2e2a3e2eb25cbb5f2473c9e6c6eedb6a0262d0846dc34ae11aedf30eea652a8a

SHA512
b0bd90d4234d3414abb07f42ba4e9c29a62709a48494ffb0cc22bd8ab75f26331afb32e38bca167648304a1a3415e8d387c55d0e4e17f940f7bc26f3150d1158

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC9693B08\KeyFile\1049\sharedmanagementobjects_keyfile.dll

Filesize
23KB

MD5
5e54cb9759d1a9416f51ac1e759bbccf

SHA1
1a033a7aae7c294967b1baba0b1e6673d4eeefc6

SHA256
f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948

SHA512
32dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4036_549801296\88538ed0-4bce-4d43-95aa-a851f959dc14.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4036_549801296\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Desktop\Setup\S0FTWARE.exe

Filesize
10.5MB

MD5
107f2ad17a30b5d498a0bde5f6b76147

SHA1
ca206ceb5253b83bb009d87ea0d6b4265cabd768

SHA256
82819ee0b35a59f56f57b91fc9f9b53a6086e6d35df65ba854f874580bc63639

SHA512
146eaa30a2b8070f5ea76a3a5657ff35390dd2ff38f593712b749aa84fa9fb4512cb2be8cf4aea8422c00db65074a17feb27e1e98d5db84f1fde80fc92a1f3ad

Download Submit
memory/2056-844-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2056-843-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2992-820-0x0000024CB3E30000-0x0000024CB3E31000-memory.dmp

Filesize
4KB

Download
memory/2992-826-0x0000024CB3E30000-0x0000024CB3E31000-memory.dmp

Filesize
4KB

Download
memory/2992-828-0x0000024CB3E30000-0x0000024CB3E31000-memory.dmp

Filesize
4KB

Download
memory/2992-829-0x0000024CB3E30000-0x0000024CB3E31000-memory.dmp

Filesize
4KB

Download
memory/2992-830-0x0000024CB3E30000-0x0000024CB3E31000-memory.dmp

Filesize
4KB

Download
memory/2992-831-0x0000024CB3E30000-0x0000024CB3E31000-memory.dmp

Filesize
4KB

Download
memory/2992-832-0x0000024CB3E30000-0x0000024CB3E31000-memory.dmp

Filesize
4KB

Download
memory/2992-827-0x0000024CB3E30000-0x0000024CB3E31000-memory.dmp

Filesize
4KB

Download
memory/2992-821-0x0000024CB3E30000-0x0000024CB3E31000-memory.dmp

Filesize
4KB

Download
memory/2992-822-0x0000024CB3E30000-0x0000024CB3E31000-memory.dmp

Filesize
4KB

Download