prometheus | 252f1a88526683b9dd18c1a7371533e989578b5118975adf93cd8a0891e3cbef

Analysis

max time kernel
297s
max time network
1239s
platform
windows7_x64
resource
win7-20220310-en
submitted
24-03-2022 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

252f1a88526683b9dd18c1a7371533e989578b5118975adf93cd8a0891e3cbef.zip
Size

48.1MB
MD5

034a5f1dcf1f3c5eb599f43af6866a5b
SHA1

caeed5dfc862a892e6331d2e732f25c163b4bb10
SHA256

252f1a88526683b9dd18c1a7371533e989578b5118975adf93cd8a0891e3cbef
SHA512

a1501596ade4264b34deb90063f8a8602f4f7c89a2d00c018a3ccd774f6c5d07e58f165d62bf45f8d50ec5cd80a20d22de62aa9e70d56e569e3252f28b7325cf

Score

10^/10

prometheus discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\2012_2061648016\english_wikipedia.txt

Family

prometheus

Ransom Note

the of and in was is for as on with by he at from his an were are which doc https also or has had first one their its after new who they two her she been other when time during there into school more may years over only year most would world city some where between later three state such then national used made known under many university united while part season team these american than film second born south became states war through being including both before north high however people family early history album area them series against until since district county name work life group music following number company several four called played released career league game government house each based day same won use station club international town located population general college east found age march end september began home public church line june river member system place century band july york january october song august best former british party named held village show local november took service december built another major within along members five single due although small old left final large include building served president received games death february main third set children own order species park law air published road died book men women army often according education central country division english top included development french community among water play side list times near late form original different center power led students german moved court six land council island u.s. record million research art established award street military television given region support western production non political point cup period business title started various election using england role produced become program works field total office class written association radio union level championship director few force created department founded services married though per n't site open act short society version royal present northern worked professional full returned joined story france european currently language social california india days design st. further round australia wrote san project control southern railway board popular continued free battle considered video common position living half playing recorded red post described average records special modern appeared announced areas rock release elected others example term opened similar formed route census current schools originally lake developed race himself forces addition information upon province match event songs result events win eastern track lead teams science human construction minister germany awards available throughout training style body museum australian health seven signed chief eventually appointed sea centre debut tour points media light range character across features families largest indian network less performance players refer europe sold festival usually taken despite designed committee process return official episode institute stage followed performed japanese personal thus arts space low months includes china study middle magazine leading japan groups aircraft featured federal civil rights model coach canadian books remained eight type independent completed capital academy instead kingdom organization countries studies competition sports size above section finished gold involved reported management systems industry directed market fourth movement technology bank ground campaign base lower sent rather added provided coast grand historic valley conference bridge winning approximately films chinese awarded degree russian shows native female replaced municipality square studio medical data african successful mid bay attack previous operations spanish theatre student republic beginning provide ship primary owned writing tournament culture introduced texas related natural parts governor reached ireland units senior decided italian whose higher africa standard income professor placed regional los buildings championships active novel energy generally interest via economic previously stated itself channel below operation leader traditional trade structure limited runs prior regular famous saint navy foreign listed artist catholic airport results parliament collection unit officer goal attended command staff commission lived location plays commercial places foundation significant older medal self scored companies highway activities programs wide musical notable library numerous paris towards individual allowed plant property annual contract whom highest initially required earlier assembly artists rural seat practice defeated ended soviet length spent manager press associated author issues additional characters lord zealand policy engine township noted historical complete financial religious mission contains nine recent represented pennsylvania administration opening secretary lines report executive youth closed theory writer italy angeles appearance feature queen launched legal terms entered issue edition singer greek majority background source anti cultural complex changes recording stadium islands operated particularly basketball month uses port castle mostly names fort selected increased status earth subsequently pacific cover variety certain goals remains upper congress becoming studied irish nature particular loss caused chart dr. forced create era retired material review rate singles referred larger individuals shown provides products speed democratic poland parish olympics cities themselves temple wing genus households serving cost wales stations passed supported view cases forms actor male matches males stars tracks females administrative median effect biography train engineering camp offered chairman houses mainly 19th surface therefore nearly score ancient subject prime seasons claimed experience specific jewish failed overall believed plot troops greater spain consists broadcast heavy increase raised separate campus 1980s appears presented lies composed recently influence fifth nations creek references elections britain double cast meaning earned carried producer latter housing brothers attempt article response border remaining nearby direct ships value workers politician academic label 1970s commander rule fellow residents authority editor transport dutch projects responsible covered territory flight races defense tower emperor albums facilities daily stories assistant managed primarily quality function proposed distribution conditions prize journal code vice newspaper corps highly constructed mayor critical secondary corporation rugby regiment ohio appearances serve allow nation multiple discovered directly scene levels growth elements acquired 1990s officers physical 20th latin host jersey graduated arrived issued literature metal estate vote immediately quickly asian competed extended produce urban 1960s promoted contemporary global formerly appear industrial types opera ministry soldiers commonly mass formation smaller typically drama shortly density senate effects iran polish prominent naval settlement divided basis republican languages distance treatment continue product mile sources footballer format clubs leadership initial offers operating avenue officially columbia grade squadron fleet percent farm leaders agreement likely equipment website mount grew method transferred intended renamed iron asia reserve capacity politics widely activity advanced relations scottish dedicated crew founder episodes lack amount build efforts concept follows ordered leaves positive economy entertainment affairs memorial ability illinois communities color text railroad scientific focus comedy serves exchange environment cars direction organized firm description agency analysis purpose destroyed reception planned revealed infantry architecture growing featuring household candidate removed situated models knowledge solo technical organizations assigned conducted participated largely purchased register gained combined headquarters adopted potential protection scale approach spread independence mountains titled geography applied safety mixed accepted continues captured rail defeat principal recognized lieutenant mentioned semi owner joint liberal actress traffic creation basic notes unique supreme declared simply plants sales massachusetts designated parties jazz compared becomes resources titles concert learning remain teaching versions content alongside revolution sons block premier impact champions districts generation estimated volume image sites account roles sport quarter providing zone yard scoring classes presence performances representatives hosted split taught origin olympic claims critics facility occurred suffered municipal damage defined resulted respectively expanded platform draft opposition expected educational ontario climate reports atlantic surrounding performing reduced ranked allows birth nominated younger newly kong positions theater philadelphia heritage finals disease sixth laws reviews constitution tradition swedish theme fiction rome medicine trains resulting existing deputy environmental labour classical develop fans granted receive alternative begins nuclear fame buried connected identified palace falls letters combat sciences effort villages inspired regions towns conservative chosen animals labor attacks materials yards steel representative orchestra peak entitled officials returning reference northwest imperial convention examples ocean publication painting subsequent frequently religion brigade fully sides acts cemetery relatively oldest suggested succeeded achieved application programme cells votes promotion graduate armed supply flying communist figures literary netherlands korea worldwide citizens 1950s faculty draw stock seats occupied methods unknown articles claim holds authorities audience sweden interview obtained covers settled transfer marked allowing funding challenge southeast unlike crown rise portion transportation sector phase properties edge tropical standards institutions philosophy legislative hills brand fund conflict unable founding refused attempts metres permanent starring applications creating effective aired extensive employed enemy expansion billboard rank battalion multi vehicle fought alliance category perform federation poetry bronze bands entry vehicles bureau maximum billion trees intelligence greatest screen refers commissioned gallery injury confirmed setting treaty adult americans broadcasting supporting pilot mobile writers programming existence squad minnesota copies korean provincial sets defence offices agricultural internal core northeast retirement factory actions prevent communications ending weekly containing functions attempted interior weight bowl recognition incorporated increasing ultimately documentary derived attacked lyrics mexican external churches centuries metropolitan selling opposed personnel mill visited presidential roads pieces norwegian controlled 18th rear influenced wrestling weapons launch composer locations developing circuit specifically studios shared canal wisconsin publishing approved domestic consisted determined comic establishment exhibition southwest fuel electronic cape converted educated melbourne hits wins producing norway slightly occur surname identity represent constituency funds proved links structures athletic birds contest users poet institution display receiving rare contained guns motion piano temperature publications passenger contributed toward cathedral inhabitants architect exist athletics muslim courses abandoned signal successfully disambiguation tennessee dynasty heavily maryland jews representing budget weather missouri introduction faced pair chapel reform height vietnam occurs motor cambridge lands focused sought patients shape invasion chemical importance communication selection regarding homes voivodeship maintained borough failure aged passing agriculture oregon teachers flow philippines trail seventh portuguese resistance reaching negative fashion scheduled downtown universities trained skills scenes views notably typical incident candidates engines decades composition commune chain inc. austria sale values employees chamber regarded winners registered task investment colonial swiss user entirely flag stores closely entrance laid journalist coal equal causes turkish quebec techniques promote junction easily dates kentucky singapore residence violence advance survey humans expressed passes streets distinguished qualified folk establish egypt artillery visual improved actual finishing medium protein switzerland productions operate poverty neighborhood organisation consisting consecutive sections partnership extension reaction factor costs bodies device ethnic racial flat objects chapter improve musicians courts controversy membership merged wars expedition interests arab comics gain describes mining bachelor crisis joining decade 1930s distributed habitat routes arena cycle divisions briefly vocals directors degrees object recordings installed adjacent demand voted causing businesses ruled grounds starred drawn opposite stands formal operates persons counties compete wave israeli ncaa resigned brief greece combination demographics historian contain commonwealth musician collected argued louisiana session cabinet parliamentary electoral loan profit regularly conservation islamic purchase 17th charts residential earliest designs paintings survived moth items goods grey anniversary criticism images discovery observed underground progress additionally participate thousands reduce elementary owners stating iraq resolution capture tank rooms hollywood finance queensland reign maintain iowa landing broad outstanding circle path manufacturing assistance sequence gmina crossing leads universal shaped kings attached medieval ages metro colony affected scholars oklahoma coastal soundtrack painted attend definition meanwhile purposes trophy require marketing popularity cable mathematics mississippi represents scheme appeal distinct factors acid subjects roughly terminal economics senator diocese prix contrast argentina czech wings relief stages duties 16th novels accused whilst equivalent charged measure documents couples request danish defensive guide devices statistics credited tries passengers allied frame puerto peninsula concluded instruments wounded differences associate forests afterwards replace requirements aviation solution offensive ownership inner legislation hungarian contributions actors translated denmark steam depending aspects assumed injured severe admitted determine shore technique arrival measures translation debuted delivered returns rejected separated visitors damaged storage accompanied markets industries losses gulf charter strategy corporate socialist somewhat significantly physics mounted satellite experienced constant relative pattern restored belgium connecticut partners harvard retained networks protected mode artistic parallel collaboration debate involving journey linked salt authors components context occupation requires occasionally policies tamil ottoman revolutionary hungary poem versus gardens amongst audio makeup frequency meters orthodox continuing suggests legislature coalition guitarist eighth classification practices soil tokyo instance limit coverage considerable ranking colleges cavalry centers daughters twin equipped broadway narrow hosts rates domain boundary arranged 12th whereas brazilian forming rating strategic competitions trading covering baltimore commissioner infrastructure origins replacement praised disc collections expression ukraine driven edited austrian solar ensure premiered successor wooden operational hispanic concerns rapid prisoners childhood meets influential tunnel employment tribe qualifying adapted temporary celebrated appearing increasingly depression adults cinema entering laboratory script flows romania accounts fictional pittsburgh achieve monastery franchise formally tools newspapers revival sponsored processes vienna springs missions classified 13th annually branches lakes gender manner advertising normally maintenance adding characteristics integrated decline modified strongly critic victims malaysia arkansas nazi restoration powered monument hundreds depth 15th controversial admiral criticized brick honorary initiative output visiting birmingham progressive existed carbon 1920s credits colour rising hence defeating s

URLs

https

http

Signatures

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

uninstall.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe

Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
ransomware prometheus
Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

winrar-x64-611.exeuninstall.exeWinRAR.exeWinRAR.exeWinRAR.exe

pid process

3052 winrar-x64-611.exe
948 uninstall.exe
2176 WinRAR.exe
2288 WinRAR.exe
2660 WinRAR.exe

pid	process
3052	winrar-x64-611.exe
948	uninstall.exe
2176	WinRAR.exe
2288	WinRAR.exe
2660	WinRAR.exe

Loads dropped DLL 27 IoCs

Processes:

chrome.exechrome.exechrome.exewinrar-x64-611.exeuninstall.exeWinRAR.exe

pid	process
3008	chrome.exe
3008	chrome.exe
2876	chrome.exe
2876	chrome.exe
2012	chrome.exe
1232
3052	winrar-x64-611.exe
1232
1232
948	uninstall.exe
948	uninstall.exe
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
2660	WinRAR.exe
2660	WinRAR.exe
2660	WinRAR.exe
2660	WinRAR.exe
2660	WinRAR.exe
2660	WinRAR.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 60 IoCs

Processes:

winrar-x64-611.exeuninstall.exe

description	ioc	process
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_260099640	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-611.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2532 tasklist.exe
2680 tasklist.exe

pid	process
2532	tasklist.exe
2680	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXEipconfig.exeNETSTAT.EXE

pid process

904 ipconfig.exe
1296 NETSTAT.EXE
3000 ipconfig.exe
1244 NETSTAT.EXE
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

2940 systeminfo.exe
2372 systeminfo.exe

pid	process
904	ipconfig.exe
1296	NETSTAT.EXE
3000	ipconfig.exe
1244	NETSTAT.EXE

pid	process
2940	systeminfo.exe
2372	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

winrar-x64-611.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main	winrar-x64-611.exe

Modifies registry class 64 IoCs

Processes:

rundll32.exeuninstall.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r27\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r15\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r18	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r26\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r04	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r01\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r27	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r25\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid process

1088 chrome.exe
2012 chrome.exe
2012 chrome.exe
2284 chrome.exe
2012 chrome.exe
2012 chrome.exe
2412 chrome.exe
2616 chrome.exe
2676 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

1412 rundll32.exe

pid	process
1088	chrome.exe
2012	chrome.exe
2012	chrome.exe
2284	chrome.exe
2012	chrome.exe
2012	chrome.exe
2412	chrome.exe
2616	chrome.exe
2676	chrome.exe

pid	process
1412	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEwhoami.exeNETSTAT.EXEtasklist.exeWMIC.exewhoami.exeNETSTAT.EXEtasklist.exeWMIC.exe

description	pid	process
Token: 33	2196	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2196	AUDIODG.EXE
Token: 33	2196	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2196	AUDIODG.EXE
Token: SeDebugPrivilege	1244	whoami.exe
Token: SeDebugPrivilege	1296	NETSTAT.EXE
Token: SeDebugPrivilege	2532	tasklist.exe
Token: SeIncreaseQuotaPrivilege	840	WMIC.exe
Token: SeSecurityPrivilege	840	WMIC.exe
Token: SeTakeOwnershipPrivilege	840	WMIC.exe
Token: SeLoadDriverPrivilege	840	WMIC.exe
Token: SeSystemProfilePrivilege	840	WMIC.exe
Token: SeSystemtimePrivilege	840	WMIC.exe
Token: SeProfSingleProcessPrivilege	840	WMIC.exe
Token: SeIncBasePriorityPrivilege	840	WMIC.exe
Token: SeCreatePagefilePrivilege	840	WMIC.exe
Token: SeBackupPrivilege	840	WMIC.exe
Token: SeRestorePrivilege	840	WMIC.exe
Token: SeShutdownPrivilege	840	WMIC.exe
Token: SeDebugPrivilege	840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	840	WMIC.exe
Token: SeRemoteShutdownPrivilege	840	WMIC.exe
Token: SeUndockPrivilege	840	WMIC.exe
Token: SeManageVolumePrivilege	840	WMIC.exe
Token: 33	840	WMIC.exe
Token: 34	840	WMIC.exe
Token: 35	840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	840	WMIC.exe
Token: SeSecurityPrivilege	840	WMIC.exe
Token: SeTakeOwnershipPrivilege	840	WMIC.exe
Token: SeLoadDriverPrivilege	840	WMIC.exe
Token: SeSystemProfilePrivilege	840	WMIC.exe
Token: SeSystemtimePrivilege	840	WMIC.exe
Token: SeProfSingleProcessPrivilege	840	WMIC.exe
Token: SeIncBasePriorityPrivilege	840	WMIC.exe
Token: SeCreatePagefilePrivilege	840	WMIC.exe
Token: SeBackupPrivilege	840	WMIC.exe
Token: SeRestorePrivilege	840	WMIC.exe
Token: SeShutdownPrivilege	840	WMIC.exe
Token: SeDebugPrivilege	840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	840	WMIC.exe
Token: SeRemoteShutdownPrivilege	840	WMIC.exe
Token: SeUndockPrivilege	840	WMIC.exe
Token: SeManageVolumePrivilege	840	WMIC.exe
Token: 33	840	WMIC.exe
Token: 34	840	WMIC.exe
Token: 35	840	WMIC.exe
Token: SeDebugPrivilege	2344	whoami.exe
Token: SeDebugPrivilege	1244	NETSTAT.EXE
Token: SeDebugPrivilege	2680	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1400	WMIC.exe
Token: SeSecurityPrivilege	1400	WMIC.exe
Token: SeTakeOwnershipPrivilege	1400	WMIC.exe
Token: SeLoadDriverPrivilege	1400	WMIC.exe
Token: SeSystemProfilePrivilege	1400	WMIC.exe
Token: SeSystemtimePrivilege	1400	WMIC.exe
Token: SeProfSingleProcessPrivilege	1400	WMIC.exe
Token: SeIncBasePriorityPrivilege	1400	WMIC.exe
Token: SeCreatePagefilePrivilege	1400	WMIC.exe
Token: SeBackupPrivilege	1400	WMIC.exe
Token: SeRestorePrivilege	1400	WMIC.exe
Token: SeShutdownPrivilege	1400	WMIC.exe
Token: SeDebugPrivilege	1400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1400	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exe

pid	process
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

winrar-x64-611.exe

pid process

3052 winrar-x64-611.exe
3052 winrar-x64-611.exe

pid	process
3052	winrar-x64-611.exe
3052	winrar-x64-611.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2012 wrote to memory of 1624	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1624	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1624	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 876	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1088	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1088	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1088	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 1500	2012	chrome.exe	chrome.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\252f1a88526683b9dd18c1a7371533e989578b5118975adf93cd8a0891e3cbef.zip
1⤵
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68d4f50,0x7fef68d4f60,0x7fef68d4f70
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1060 /prefetch:2
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1716 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:1
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3672 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2964 /prefetch:2
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1788 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1884 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3968 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3984 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4056 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3080 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=108 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3800 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3340 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4020 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1448 /prefetch:8
  2⤵
  PID:584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3336 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4208 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3008 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4104 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3008 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:3008
- C:\Users\Admin\Downloads\winrar-x64-611.exe
  "C:\Users\Admin\Downloads\winrar-x64-611.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3052
- - C:\Program Files\WinRAR\uninstall.exe
    "C:\Program Files\WinRAR\uninstall.exe" /setup
    3⤵
    - Modifies system executable filetype association
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies registry class
    PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4216 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=740 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4236 /prefetch:8
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3916 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,11751380809338471988,9647551527768928257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:1128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68d4f50,0x7fef68d4f60,0x7fef68d4f70
  2⤵
  PID:240

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:648

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -imon1 -- "C:\Users\Admin\Desktop\252f1a88526683b9dd18c1a7371533e989578b5118975adf93cd8a0891e3cbef.zip" "?\"
1⤵
- Executes dropped EXE
PID:2176

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -imon1 -- "C:\Users\Admin\Desktop\252f1a88526683b9dd18c1a7371533e989578b5118975adf93cd8a0891e3cbef.zip" C:\Users\Admin\Desktop\
1⤵
- Executes dropped EXE
PID:2288

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -imon1 "-anf=C:\Users\Admin\AppData\Local\Temp\Rar$LS1232.3406" -scul -- "C:\Users\Admin\Desktop\Win32\Backdoor.Win32.APT34.PoisonFrogC2.7z" C:\Users\Admin\Desktop\Win32\
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x188
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\Win32\Backdoor.Win32.APT34.PoisonFrogC2\Poison Frog\server side\installing\install_pachages.bat" "
1⤵
PID:2704

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Win32\Backdoor.Win32.APT34.PoisonFrogC2\Poison Frog\server side\routes\index.js"
1⤵
PID:1172

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\Win32\Backdoor.Win32.APT34.PoisonFrogC2\Poison Frog\server side\0000000000.bat" "
1⤵
PID:2892
- C:\Windows\system32\whoami.exe
  whoami
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\system32\HOSTNAME.EXE
  hostname
  2⤵
  PID:2680
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:904
- C:\Windows\system32\net.exe
  net user /domain
  2⤵
  PID:2628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /domain
    3⤵
    PID:2240
- C:\Windows\system32\net.exe
  net group /domain
  2⤵
  PID:2540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 group /domain
    3⤵
    PID:2340
- C:\Windows\system32\net.exe
  net group "domain admins" /domain
  2⤵
  PID:2200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 group "domain admins" /domain
    3⤵
    PID:2184
- C:\Windows\system32\net.exe
  net group "Exchange Trusted Subsystem" /domain
  2⤵
  PID:2092
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 group "Exchange Trusted Subsystem" /domain
    3⤵
    PID:2228
- C:\Windows\system32\net.exe
  net accounts /domain
  2⤵
  PID:1248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 accounts /domain
    3⤵
    PID:2444
- C:\Windows\system32\net.exe
  net user
  2⤵
  PID:3004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user
    3⤵
    PID:1728
- C:\Windows\system32\net.exe
  net localgroup administrators
  2⤵
  PID:1364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators
    3⤵
    PID:1444
- C:\Windows\system32\NETSTAT.EXE
  netstat -an
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2940
- C:\Windows\system32\reg.exe
  reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
  2⤵
  PID:1920
- C:\Windows\system32\schtasks.exe
  schtasks /query /FO List /TN "GoogleUpdatesTaskMachineUI" /V
  2⤵
  PID:2064
- C:\Windows\system32\findstr.exe
  findstr /b /n /c:"Repeat: Every:"
  2⤵
  PID:2944
- C:\Windows\System32\Wbem\WMIC.exe
  WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:840

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\Win32\Backdoor.Win32.APT34.PoisonFrogC2\Poison Frog\server side\9999999999.bat" "
1⤵
PID:1700
- C:\Windows\system32\whoami.exe
  whoami
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\system32\HOSTNAME.EXE
  hostname
  2⤵
  PID:2808
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:3000
- C:\Windows\system32\net.exe
  net user /domain
  2⤵
  PID:2448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /domain
    3⤵
    PID:2288
- C:\Windows\system32\net.exe
  net group /domain
  2⤵
  PID:2848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 group /domain
    3⤵
    PID:3008
- C:\Windows\system32\net.exe
  net group "domain admins" /domain
  2⤵
  PID:2816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 group "domain admins" /domain
    3⤵
    PID:2796
- C:\Windows\system32\net.exe
  net group "Exchange Trusted Subsystem" /domain
  2⤵
  PID:1768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 group "Exchange Trusted Subsystem" /domain
    3⤵
    PID:2712
- C:\Windows\system32\net.exe
  net accounts /domain
  2⤵
  PID:2900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 accounts /domain
    3⤵
    PID:2716
- C:\Windows\system32\net.exe
  net user
  2⤵
  PID:2104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user
    3⤵
    PID:2740
- C:\Windows\system32\net.exe
  net localgroup administrators
  2⤵
  PID:2648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators
    3⤵
    PID:1912
- C:\Windows\system32\NETSTAT.EXE
  netstat -an
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2372
- C:\Windows\system32\reg.exe
  reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
  2⤵
  PID:2628
- C:\Windows\system32\schtasks.exe
  schtasks /query /FO List /TN "GoogleUpdatesTaskMachineUI" /V
  2⤵
  PID:2040
- C:\Windows\system32\findstr.exe
  findstr /b /n /c:"Repeat: Every:"
  2⤵
  PID:2392
- C:\Windows\System32\Wbem\WMIC.exe
  WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1400

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\Win32\Backdoor.Win32.APT34.PoisonFrogC2\Poison Frog\server side\config.json
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
107KB

MD5
8933d6e810668af29d7ba8f1c3b2b9ff

SHA1
760cbb236c4ca6e0003582aaefd72ff8b1c872aa

SHA256
cd3ba458c88bdf8924ebb404c8505d627e6ac7aadc6e351562c1894019604fc7

SHA512
344d737228483add83d5f2b31ae9582ca78013dc4be967f2cdafca24145970e3cb46d75373996150a3c9119ebc81ce9ac50e16696c17a4dea65c9571ef8e745e

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
412KB

MD5
92667e28583a9489e3cf4f1a7fd6636e

SHA1
faa09990ba4daae970038ed44e3841151d6e7f28

SHA256
9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

SHA512
63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
95KB

MD5
d4c768c52ee077eb09bac094f4af8310

SHA1
c56ae6b4464799fcdc87c5ff5a49ac1ad43482b1

SHA256
8089dfbebdf2142c7f60f5c12098859417b3c997f0b24b696ccaa78a50f3726c

SHA512
5b794b19b5ff10f7356a46f02204d0df3183037bc89d32e3f2c2978ea8f90ac6367fcb225b476cb7c8a3035d82ca1e328791271d3a58b40b9759d4b65e83f847

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
314KB

MD5
81b236ef16aaa6a3936fd449b12b82a2

SHA1
698acb3c862c7f3ecf94971e4276e531914e67bc

SHA256
d37819e64ecb61709fcf3435eb9bed790f75163057e36fb94a3465ca353ccc5e

SHA512
968fe20d6fe6879939297b8683da1520a1e0d2b9a5107451fca70b91802492e243976f56090c85eb9f38fca8f74134b8b6aa133ba2e2806d763c9f8516ace769

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.3MB

MD5
0b114fc0f4b6d49f57b3b01dd9ea6a8c

SHA1
23e1480c3ff3a54e712d759e9325d362bf52fabd

SHA256
f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

SHA512
e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d4239683ff8022449f501b5b5986b630

SHA1
bfc88141f59b3b90d4b5edb0d7ead95c4674bad6

SHA256
01d7a80cc0c9291b4ad9b005caef1efe94964d2014632e6a5c20acf83ca9ed10

SHA512
3e2d3aac9ff1ee015d601f9c8f6d97f5e3e6d2ecec062dca341d3ba1b1a2fee6aa62605a924a3531970d39448c246c0eda5a45ad4d52c5011e9664ca26543846

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d4239683ff8022449f501b5b5986b630

SHA1
bfc88141f59b3b90d4b5edb0d7ead95c4674bad6

SHA256
01d7a80cc0c9291b4ad9b005caef1efe94964d2014632e6a5c20acf83ca9ed10

SHA512
3e2d3aac9ff1ee015d601f9c8f6d97f5e3e6d2ecec062dca341d3ba1b1a2fee6aa62605a924a3531970d39448c246c0eda5a45ad4d52c5011e9664ca26543846

Download Submit
C:\Users\Admin\Downloads\winrar-x64-611.exe

Filesize
3.3MB

MD5
8a6217d94e1bcbabdd1dfcdcaa83d1b3

SHA1
99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

SHA256
3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

SHA512
a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

Download Submit
C:\Users\Admin\Downloads\winrar-x64-611.exe

Filesize
3.3MB

MD5
8a6217d94e1bcbabdd1dfcdcaa83d1b3

SHA1
99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

SHA256
3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

SHA512
a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

Download Submit
\??\pipe\crashpad_2012_LMNKSWHLNQMKQMDZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
412KB

MD5
92667e28583a9489e3cf4f1a7fd6636e

SHA1
faa09990ba4daae970038ed44e3841151d6e7f28

SHA256
9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

SHA512
63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
412KB

MD5
92667e28583a9489e3cf4f1a7fd6636e

SHA1
faa09990ba4daae970038ed44e3841151d6e7f28

SHA256
9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

SHA512
63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
412KB

MD5
92667e28583a9489e3cf4f1a7fd6636e

SHA1
faa09990ba4daae970038ed44e3841151d6e7f28

SHA256
9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

SHA512
63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
412KB

MD5
92667e28583a9489e3cf4f1a7fd6636e

SHA1
faa09990ba4daae970038ed44e3841151d6e7f28

SHA256
9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

SHA512
63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

Download Submit
\Program Files\WinRAR\WinRAR.exe

Filesize
2.3MB

MD5
0b114fc0f4b6d49f57b3b01dd9ea6a8c

SHA1
23e1480c3ff3a54e712d759e9325d362bf52fabd

SHA256
f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

SHA512
e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

Download Submit
\Program Files\WinRAR\WinRAR.exe

Filesize
2.3MB

MD5
0b114fc0f4b6d49f57b3b01dd9ea6a8c

SHA1
23e1480c3ff3a54e712d759e9325d362bf52fabd

SHA256
f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

SHA512
e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

Download Submit
\Program Files\WinRAR\WinRAR.exe

Filesize
2.3MB

MD5
0b114fc0f4b6d49f57b3b01dd9ea6a8c

SHA1
23e1480c3ff3a54e712d759e9325d362bf52fabd

SHA256
f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

SHA512
e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

Download Submit
\Users\Admin\Downloads\winrar-x64-611.exe

Filesize
3.3MB

MD5
8a6217d94e1bcbabdd1dfcdcaa83d1b3

SHA1
99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

SHA256
3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

SHA512
a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

Download Submit
\Users\Admin\Downloads\winrar-x64-611.exe

Filesize
3.3MB

MD5
8a6217d94e1bcbabdd1dfcdcaa83d1b3

SHA1
99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

SHA256
3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

SHA512
a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

Download Submit
\Users\Admin\Downloads\winrar-x64-611.exe

Filesize
3.3MB

MD5
8a6217d94e1bcbabdd1dfcdcaa83d1b3

SHA1
99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

SHA256
3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

SHA512
a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

Download Submit
\Users\Admin\Downloads\winrar-x64-611.exe

Filesize
3.3MB

MD5
8a6217d94e1bcbabdd1dfcdcaa83d1b3

SHA1
99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

SHA256
3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

SHA512
a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

Download Submit
\Users\Admin\Downloads\winrar-x64-611.exe

Filesize
3.3MB

MD5
8a6217d94e1bcbabdd1dfcdcaa83d1b3

SHA1
99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

SHA256
3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

SHA512
a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

Download Submit
\Users\Admin\Downloads\winrar-x64-611.exe

Filesize
3.3MB

MD5
8a6217d94e1bcbabdd1dfcdcaa83d1b3

SHA1
99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

SHA256
3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

SHA512
a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

Download Submit
memory/840-122-0x0000000000000000-mapping.dmp

Download
memory/904-101-0x0000000000000000-mapping.dmp

Download
memory/948-82-0x0000000000000000-mapping.dmp

Download
memory/1244-140-0x0000000000000000-mapping.dmp

Download
memory/1244-99-0x0000000000000000-mapping.dmp

Download
memory/1248-110-0x0000000000000000-mapping.dmp

Download
memory/1296-116-0x0000000000000000-mapping.dmp

Download
memory/1364-114-0x0000000000000000-mapping.dmp

Download
memory/1400-146-0x0000000000000000-mapping.dmp

Download
memory/1444-115-0x0000000000000000-mapping.dmp

Download
memory/1728-113-0x0000000000000000-mapping.dmp

Download
memory/1768-132-0x0000000000000000-mapping.dmp

Download
memory/1912-139-0x0000000000000000-mapping.dmp

Download
memory/1920-119-0x0000000000000000-mapping.dmp

Download
memory/2040-144-0x0000000000000000-mapping.dmp

Download
memory/2064-120-0x0000000000000000-mapping.dmp

Download
memory/2092-108-0x0000000000000000-mapping.dmp

Download
memory/2104-136-0x0000000000000000-mapping.dmp

Download
memory/2184-107-0x0000000000000000-mapping.dmp

Download
memory/2200-106-0x0000000000000000-mapping.dmp

Download
memory/2228-109-0x0000000000000000-mapping.dmp

Download
memory/2240-103-0x0000000000000000-mapping.dmp

Download
memory/2288-127-0x0000000000000000-mapping.dmp

Download
memory/2340-105-0x0000000000000000-mapping.dmp

Download
memory/2344-123-0x0000000000000000-mapping.dmp

Download
memory/2372-142-0x0000000000000000-mapping.dmp

Download
memory/2392-145-0x0000000000000000-mapping.dmp

Download
memory/2444-111-0x0000000000000000-mapping.dmp

Download
memory/2448-126-0x0000000000000000-mapping.dmp

Download
memory/2532-117-0x0000000000000000-mapping.dmp

Download
memory/2540-104-0x0000000000000000-mapping.dmp

Download
memory/2628-143-0x0000000000000000-mapping.dmp

Download
memory/2628-102-0x0000000000000000-mapping.dmp

Download
memory/2648-138-0x0000000000000000-mapping.dmp

Download
memory/2680-100-0x0000000000000000-mapping.dmp

Download
memory/2680-141-0x0000000000000000-mapping.dmp

Download
memory/2712-133-0x0000000000000000-mapping.dmp

Download
memory/2716-135-0x0000000000000000-mapping.dmp

Download
memory/2740-137-0x0000000000000000-mapping.dmp

Download
memory/2796-131-0x0000000000000000-mapping.dmp

Download
memory/2808-124-0x0000000000000000-mapping.dmp

Download
memory/2816-130-0x0000000000000000-mapping.dmp

Download
memory/2848-128-0x0000000000000000-mapping.dmp

Download
memory/2900-134-0x0000000000000000-mapping.dmp

Download
memory/2940-118-0x0000000000000000-mapping.dmp

Download
memory/2944-121-0x0000000000000000-mapping.dmp

Download
memory/3000-125-0x0000000000000000-mapping.dmp

Download
memory/3004-112-0x0000000000000000-mapping.dmp

Download
memory/3008-129-0x0000000000000000-mapping.dmp

Download
memory/3052-64-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

Filesize
8KB

Download
memory/3052-62-0x0000000000000000-mapping.dmp

Download