Analysis
-
max time kernel
390s -
max time network
389s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2022 01:23
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://rebrand.ly/dic-com_prob_antede_pago0002
Resource
win10v2004-20220812-en
General
-
Target
https://rebrand.ly/dic-com_prob_antede_pago0002
Malware Config
Extracted
C:\Program Files\WinRAR\Rar.txt
Extracted
C:\Program Files\WinRAR\WhatsNew.txt
https
http
http://weirdsgn.com
http://icondesignlab.com
https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar
Signatures
-
Bandook payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2616-166-0x0000000013140000-0x0000000013C7D000-memory.dmp family_bandook behavioral1/memory/2616-167-0x0000000013140000-0x0000000013C7D000-memory.dmp family_bandook behavioral1/memory/2616-168-0x0000000013140000-0x0000000013C7D000-memory.dmp family_bandook behavioral1/memory/3284-173-0x0000000013140000-0x0000000013C7D000-memory.dmp family_bandook behavioral1/memory/3284-174-0x0000000013140000-0x0000000013C7D000-memory.dmp family_bandook -
Modifies system executable filetype association 2 TTPs 8 IoCs
Processes:
uninstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
winrar-x64-611.exeuninstall.exeWinRAR.exeChromeRecovery.exeCOMPROBANTE DE PAGO_N29.exeCOMPROBANTE DE PAGO_N29.exepid process 1108 winrar-x64-611.exe 2712 uninstall.exe 3612 WinRAR.exe 1688 ChromeRecovery.exe 2556 COMPROBANTE DE PAGO_N29.exe 320 COMPROBANTE DE PAGO_N29.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
uninstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe -
Processes:
resource yara_rule behavioral1/memory/2616-164-0x0000000013140000-0x0000000013C7D000-memory.dmp upx behavioral1/memory/2616-165-0x0000000013140000-0x0000000013C7D000-memory.dmp upx behavioral1/memory/2616-166-0x0000000013140000-0x0000000013C7D000-memory.dmp upx behavioral1/memory/2616-167-0x0000000013140000-0x0000000013C7D000-memory.dmp upx behavioral1/memory/2616-168-0x0000000013140000-0x0000000013C7D000-memory.dmp upx behavioral1/memory/3284-173-0x0000000013140000-0x0000000013C7D000-memory.dmp upx behavioral1/memory/3284-174-0x0000000013140000-0x0000000013C7D000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
winrar-x64-611.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation winrar-x64-611.exe -
Loads dropped DLL 2 IoCs
Processes:
taskmgr.exepid process 2088 4320 taskmgr.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 96 freegeoip.app -
Drops file in Program Files directory 64 IoCs
Processes:
winrar-x64-611.exeelevation_service.exeuninstall.exedescription ioc process File created C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Resources.pri winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-611.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1004_1292279309\ChromeRecovery.exe elevation_service.exe File opened for modification C:\Program Files\WinRAR\ReadMe.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarFiles.lst winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\UnRAR.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Rar.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExt32.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\ReadMe.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinRAR.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\7zxa.dll winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1004_1292279309\manifest.json elevation_service.exe File created C:\Program Files\WinRAR\RarFiles.lst winrar-x64-611.exe File created C:\Program Files\WinRAR\rarnew.dat uninstall.exe File created C:\Program Files\WinRAR\Zip64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\7zxa.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\Zip.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Zip.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinCon.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\WinRAR.chm winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Order.htm winrar-x64-611.exe File created C:\Program Files\WinRAR\Uninstall.lst winrar-x64-611.exe File created C:\Program Files\WinRAR\Rar.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\Rar.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1004_1292279309\ChromeRecovery.exe elevation_service.exe File created C:\Program Files\WinRAR\Descript.ion winrar-x64-611.exe File created C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExt.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Uninstall.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExt32.dll winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1004_1292279309\_metadata\verified_contents.json elevation_service.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Uninstall.lst winrar-x64-611.exe File created C:\Program Files\WinRAR\UnRAR.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-611.exe File created C:\Program Files\WinRAR\WinRAR.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExt.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Default64.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR winrar-x64-611.exe File created C:\Program Files\WinRAR\Order.htm winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Rar.exe winrar-x64-611.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1004_1292279309\manifest.json elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1004_1292279309\_metadata\verified_contents.json elevation_service.exe File created C:\Program Files\WinRAR\Default64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Zip64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinRAR.chm winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Descript.ion winrar-x64-611.exe File created C:\Program Files\WinRAR\License.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\Uninstall.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\Default.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Default.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\WinCon.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\zipnew.dat uninstall.exe File opened for modification C:\Program Files\WinRAR\License.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\Resources.pri winrar-x64-611.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1004_1292279309\ChromeRecoveryCRX.crx elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Processes:
WinRAR.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch WinRAR.exe Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" WinRAR.exe Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Internet Explorer\IESettingSync WinRAR.exe Set value (int) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" WinRAR.exe -
Modifies registry class 64 IoCs
Processes:
uninstall.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r25\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r26 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zip uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r13 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r06\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r20 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r23 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r15 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r18\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r03\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r21 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r01 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r08 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r01\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r16 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r28\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r07 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r19 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r05\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r12 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r13\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xxe uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.taz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.001 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR" uninstall.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exetaskmgr.exechrome.exepid process 1292 chrome.exe 1292 chrome.exe 5104 chrome.exe 5104 chrome.exe 984 chrome.exe 984 chrome.exe 3612 chrome.exe 3612 chrome.exe 4632 chrome.exe 4632 chrome.exe 376 chrome.exe 376 chrome.exe 1528 chrome.exe 1528 chrome.exe 3624 chrome.exe 3624 chrome.exe 4632 chrome.exe 4632 chrome.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4244 chrome.exe 4244 chrome.exe 4244 chrome.exe 4244 chrome.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
WinRAR.exetaskmgr.exepid process 3612 WinRAR.exe 4320 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
chrome.exepid process 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
taskmgr.exesvchost.exedescription pid process Token: SeDebugPrivilege 4320 taskmgr.exe Token: SeSystemProfilePrivilege 4320 taskmgr.exe Token: SeCreateGlobalPrivilege 4320 taskmgr.exe Token: SeSecurityPrivilege 4320 taskmgr.exe Token: SeTakeOwnershipPrivilege 4320 taskmgr.exe Token: SeBackupPrivilege 4088 svchost.exe Token: SeRestorePrivilege 4088 svchost.exe Token: SeSecurityPrivilege 4088 svchost.exe Token: SeTakeOwnershipPrivilege 4088 svchost.exe Token: 35 4088 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exeWinRAR.exetaskmgr.exepid process 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 3612 WinRAR.exe 3612 WinRAR.exe 3612 WinRAR.exe 3612 WinRAR.exe 3612 WinRAR.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exetaskmgr.exepid process 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe 4320 taskmgr.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
winrar-x64-611.exeuninstall.exeWinRAR.exepid process 1108 winrar-x64-611.exe 1108 winrar-x64-611.exe 1108 winrar-x64-611.exe 2712 uninstall.exe 3612 WinRAR.exe 3612 WinRAR.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 5104 wrote to memory of 1228 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 1228 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 2696 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 1292 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 1292 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe PID 5104 wrote to memory of 4592 5104 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://rebrand.ly/dic-com_prob_antede_pago00021⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc81e4f50,0x7ffdc81e4f60,0x7ffdc81e4f702⤵PID:1228
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:22⤵PID:2696
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2012 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1292 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:82⤵PID:4592
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2448 /prefetch:12⤵PID:1492
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:12⤵PID:904
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4336 /prefetch:82⤵PID:1108
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4912 /prefetch:82⤵PID:3520
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5344 /prefetch:82⤵PID:732
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:984 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3612 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5504 /prefetch:82⤵PID:536
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 /prefetch:82⤵PID:4220
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵PID:3228
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:2264
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5764 /prefetch:82⤵PID:376
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:12⤵PID:764
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5456 /prefetch:82⤵PID:1940
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5744 /prefetch:82⤵PID:3956
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:12⤵PID:2132
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:12⤵PID:3720
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:12⤵PID:2468
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:12⤵PID:764
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:12⤵PID:1464
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:12⤵PID:3336
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2384 /prefetch:82⤵PID:4632
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2428 /prefetch:82⤵PID:2812
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3192 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:376 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 /prefetch:82⤵PID:2484
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2436 /prefetch:82⤵PID:4684
-
C:\Users\Admin\Downloads\winrar-x64-611.exe"C:\Users\Admin\Downloads\winrar-x64-611.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1108 -
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2712 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528 -
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\COMPROBANTE DE PAGO_N29.rar"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3612 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:5108
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1128 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3624 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:82⤵PID:3704
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4328 /prefetch:82⤵PID:2408
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4684 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4244 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:82⤵PID:4032
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11241488442710396042,3416406297532686380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1736 /prefetch:82⤵PID:936
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4180
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2400
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
PID:1004 -
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1004_1292279309\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1004_1292279309\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={1c5a879e-fe39-4b09-9b93-b36e4cc5949d} --system2⤵
- Executes dropped EXE
PID:1688
-
C:\Users\Admin\Desktop\COMPROBANTE DE PAGO_N29.exe"C:\Users\Admin\Desktop\COMPROBANTE DE PAGO_N29.exe"1⤵
- Executes dropped EXE
PID:2556 -
C:\windows\SysWOW64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵PID:2616
-
C:\Users\Admin\Desktop\COMPROBANTE DE PAGO_N29.exe"C:\Users\Admin\Desktop\COMPROBANTE DE PAGO_N29.exe"1⤵
- Executes dropped EXE
PID:320 -
C:\windows\SysWOW64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵PID:3284
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1004_1292279309\ChromeRecovery.exeFilesize
253KB
MD549ac3c96d270702a27b4895e4ce1f42a
SHA155b90405f1e1b72143c64113e8bc65608dd3fd76
SHA25682aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f
SHA512b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0
-
C:\Program Files\WinRAR\Rar.txtFilesize
107KB
MD58933d6e810668af29d7ba8f1c3b2b9ff
SHA1760cbb236c4ca6e0003582aaefd72ff8b1c872aa
SHA256cd3ba458c88bdf8924ebb404c8505d627e6ac7aadc6e351562c1894019604fc7
SHA512344d737228483add83d5f2b31ae9582ca78013dc4be967f2cdafca24145970e3cb46d75373996150a3c9119ebc81ce9ac50e16696c17a4dea65c9571ef8e745e
-
C:\Program Files\WinRAR\RarExt.dllFilesize
632KB
MD5650a771d005941c7a23926011d75ad8f
SHA184b346acd006f21d7ffb8d5ea5937ec0ee3daa4f
SHA256b28d116dd3066e7a3c9f0cc2f63d34a7189c9d78e869d1255c9dec59172a9d5f
SHA5124724bd81c26716f0ad59187c78fbb920fd8b251540e76c28d93e0afcce3ebe0e3e2b4605e9d444bbbc3e828ce11f2b73489404318ab11403eff94b42ef2c9bad
-
C:\Program Files\WinRAR\RarExt.dllFilesize
632KB
MD5650a771d005941c7a23926011d75ad8f
SHA184b346acd006f21d7ffb8d5ea5937ec0ee3daa4f
SHA256b28d116dd3066e7a3c9f0cc2f63d34a7189c9d78e869d1255c9dec59172a9d5f
SHA5124724bd81c26716f0ad59187c78fbb920fd8b251540e76c28d93e0afcce3ebe0e3e2b4605e9d444bbbc3e828ce11f2b73489404318ab11403eff94b42ef2c9bad
-
C:\Program Files\WinRAR\Uninstall.exeFilesize
412KB
MD592667e28583a9489e3cf4f1a7fd6636e
SHA1faa09990ba4daae970038ed44e3841151d6e7f28
SHA2569147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959
SHA51263555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8
-
C:\Program Files\WinRAR\WhatsNew.txtFilesize
95KB
MD5d4c768c52ee077eb09bac094f4af8310
SHA1c56ae6b4464799fcdc87c5ff5a49ac1ad43482b1
SHA2568089dfbebdf2142c7f60f5c12098859417b3c997f0b24b696ccaa78a50f3726c
SHA5125b794b19b5ff10f7356a46f02204d0df3183037bc89d32e3f2c2978ea8f90ac6367fcb225b476cb7c8a3035d82ca1e328791271d3a58b40b9759d4b65e83f847
-
C:\Program Files\WinRAR\WinRAR.chmFilesize
314KB
MD581b236ef16aaa6a3936fd449b12b82a2
SHA1698acb3c862c7f3ecf94971e4276e531914e67bc
SHA256d37819e64ecb61709fcf3435eb9bed790f75163057e36fb94a3465ca353ccc5e
SHA512968fe20d6fe6879939297b8683da1520a1e0d2b9a5107451fca70b91802492e243976f56090c85eb9f38fca8f74134b8b6aa133ba2e2806d763c9f8516ace769
-
C:\Program Files\WinRAR\WinRAR.exeFilesize
2.3MB
MD50b114fc0f4b6d49f57b3b01dd9ea6a8c
SHA123e1480c3ff3a54e712d759e9325d362bf52fabd
SHA256f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd
SHA512e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573
-
C:\Program Files\WinRAR\WinRAR.exeFilesize
2.3MB
MD50b114fc0f4b6d49f57b3b01dd9ea6a8c
SHA123e1480c3ff3a54e712d759e9325d362bf52fabd
SHA256f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd
SHA512e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573
-
C:\Program Files\WinRAR\rarext.dllFilesize
632KB
MD5650a771d005941c7a23926011d75ad8f
SHA184b346acd006f21d7ffb8d5ea5937ec0ee3daa4f
SHA256b28d116dd3066e7a3c9f0cc2f63d34a7189c9d78e869d1255c9dec59172a9d5f
SHA5124724bd81c26716f0ad59187c78fbb920fd8b251540e76c28d93e0afcce3ebe0e3e2b4605e9d444bbbc3e828ce11f2b73489404318ab11403eff94b42ef2c9bad
-
C:\Program Files\WinRAR\uninstall.exeFilesize
412KB
MD592667e28583a9489e3cf4f1a7fd6636e
SHA1faa09990ba4daae970038ed44e3841151d6e7f28
SHA2569147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959
SHA51263555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD50788710dc9a96ecafdf77c90b375fb72
SHA14c0dbc98b56a627853852855a4e8cb34f4cca86a
SHA256c841215ada1e504a8168b9567fec40e84fbae12c6b63305f3eeb0b86af23763d
SHA512d18e8f892efd12e2f8b871c7f33343413cf78d73f5dfc503b221c71896a641924fe5ff390ef6e7145399a2746b4fc758991efa95c7cc25f40ece84132084e2ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD55a11c6099b9e5808dfb08c5c9570c92f
SHA1e5dc219641146d1839557973f348037fa589fd18
SHA25691291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172
SHA512c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5e806ea352707da3f290e20b967adfd9c
SHA11fe01be5b9fbf7e25d86927a441adf99c43d6bad
SHA2561c112749a48a84c23a0d43a68b4ea24cedd79b064f395704e5692b18048d0eb9
SHA512110293f52e5fb70aae4c8c0ead893c478ef10feab3a4d4f7bdf2e8eb8bc201dc8c16c5cca53fcd82e6f9d39dea6361319e963519ee5e0b200d70ee759d0ec5a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD55d4d6b77dbf42d0e341ec6aa21c52346
SHA1cc73fae1b530cc0deeb4a5b36894db3623998c88
SHA256e96d74adfeb17e4b3b7bb4914e58edab96cec2901e176e1c34d01a9f881b0bca
SHA5128c85133a89fe525e9093ce7b284441a28e9f505f75a9b52be9ea319cd2e083ebffbacecd91fc52a157ce72904d79be972db2b40e4c87bef67af75ea5abf6be82
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3Filesize
141KB
MD5ea1c1ffd3ea54d1fb117bfdbb3569c60
SHA110958b0f690ae8f5240e1528b1ccffff28a33272
SHA2567c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d
SHA5126c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\CachesMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\Desktop\COMPROBANTE DE PAGO_N29.exeFilesize
1.8MB
MD556f6526b103a3e8f3b4eed20fcf68084
SHA1a7e85acb13f922ba787bb8df35f8090a6789cd9b
SHA256f742a398eb7d3f6af2dc30e67e9d163224e98d437bdf91fb15bb76d40bf36956
SHA512fcbe900fe2cad6fd2f7b4faa39711d0cfb41fdaa9f9b39c9dfc0f84c39e3f87c4f14100344d7639d2f112be8d530839e6ccc209339890599426b820adcbb4ff4
-
C:\Users\Admin\Desktop\COMPROBANTE DE PAGO_N29.exeFilesize
1.8MB
MD556f6526b103a3e8f3b4eed20fcf68084
SHA1a7e85acb13f922ba787bb8df35f8090a6789cd9b
SHA256f742a398eb7d3f6af2dc30e67e9d163224e98d437bdf91fb15bb76d40bf36956
SHA512fcbe900fe2cad6fd2f7b4faa39711d0cfb41fdaa9f9b39c9dfc0f84c39e3f87c4f14100344d7639d2f112be8d530839e6ccc209339890599426b820adcbb4ff4
-
C:\Users\Admin\Desktop\COMPROBANTE DE PAGO_N29.exeFilesize
1.8MB
MD556f6526b103a3e8f3b4eed20fcf68084
SHA1a7e85acb13f922ba787bb8df35f8090a6789cd9b
SHA256f742a398eb7d3f6af2dc30e67e9d163224e98d437bdf91fb15bb76d40bf36956
SHA512fcbe900fe2cad6fd2f7b4faa39711d0cfb41fdaa9f9b39c9dfc0f84c39e3f87c4f14100344d7639d2f112be8d530839e6ccc209339890599426b820adcbb4ff4
-
C:\Users\Admin\Downloads\COMPROBANTE DE PAGO_N29.rarFilesize
912KB
MD5dd9e17aea7e162b644b201851a05407b
SHA1f9a2ce1058a7f183b8401efba655e43b19a48c31
SHA2561c4f53eec29c08286d592dba2b78153719d2b33ae8c4b65bdd7bb1b00de38bb4
SHA5125422c7bdc3c19a651326f78541a02891d1607347efd1f34334e33d163342965c15b021a75f7e6d2236f7488cae49a7f33a779cd4d9e09f0295f164f7c84fc831
-
C:\Users\Admin\Downloads\winrar-x64-611.exeFilesize
3.3MB
MD58a6217d94e1bcbabdd1dfcdcaa83d1b3
SHA199b81b01f277540f38ea3e96c9c6dc2a57dfeb92
SHA2563023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684
SHA512a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54
-
C:\Users\Admin\Downloads\winrar-x64-611.exeFilesize
3.3MB
MD58a6217d94e1bcbabdd1dfcdcaa83d1b3
SHA199b81b01f277540f38ea3e96c9c6dc2a57dfeb92
SHA2563023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684
SHA512a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54
-
\??\pipe\crashpad_5104_DWCCMSFANFQTHHUSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1108-133-0x0000000000000000-mapping.dmp
-
memory/1688-151-0x0000000000000000-mapping.dmp
-
memory/2616-165-0x0000000013140000-0x0000000013C7D000-memory.dmpFilesize
11.2MB
-
memory/2616-163-0x0000000000000000-mapping.dmp
-
memory/2616-164-0x0000000013140000-0x0000000013C7D000-memory.dmpFilesize
11.2MB
-
memory/2616-166-0x0000000013140000-0x0000000013C7D000-memory.dmpFilesize
11.2MB
-
memory/2616-167-0x0000000013140000-0x0000000013C7D000-memory.dmpFilesize
11.2MB
-
memory/2616-168-0x0000000013140000-0x0000000013C7D000-memory.dmpFilesize
11.2MB
-
memory/2712-137-0x0000000000000000-mapping.dmp
-
memory/3284-169-0x0000000000000000-mapping.dmp
-
memory/3284-173-0x0000000013140000-0x0000000013C7D000-memory.dmpFilesize
11.2MB
-
memory/3284-174-0x0000000013140000-0x0000000013C7D000-memory.dmpFilesize
11.2MB
-
memory/3612-145-0x0000000000000000-mapping.dmp