hxxp://microsoft-word[.]ru

Analysis

max time kernel
1183s
max time network
1198s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14/10/2022, 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://microsoft-word.ru

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2884	Office-2019-Word-Excel-Powerpoint (2).exe
2244	7z.exe
2280	setup.exe
1644	ChromeRecovery.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
2468	WScript.exe
2468	WScript.exe
2244	7z.exe
2992	mshta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir968_478857915\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir968_478857915\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir968_478857915\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir968_478857915\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir968_478857915\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir968_478857915\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir968_478857915\ChromeRecovery.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	setup.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
584	chrome.exe
368	chrome.exe
368	chrome.exe
2632	chrome.exe
2640	chrome.exe
368	chrome.exe
368	chrome.exe
2700	chrome.exe
2776	chrome.exe
1836	chrome.exe
3004	chrome.exe
2132	chrome.exe
2716	powershell.exe
2776	powershell.exe
1616	chrome.exe
1228	chrome.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	2244	7z.exe
Token: 35	2244	7z.exe
Token: SeSecurityPrivilege	2244	7z.exe
Token: SeSecurityPrivilege	2244	7z.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: 33	1268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1268	AUDIODG.EXE
Token: 33	1268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1268	AUDIODG.EXE
Token: SeRestorePrivilege	1628	7zG.exe
Token: 35	1628	7zG.exe
Token: SeSecurityPrivilege	1628	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2280	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1124	368	chrome.exe	27
PID 368 wrote to memory of 1124	368	chrome.exe	27
PID 368 wrote to memory of 1124	368	chrome.exe	27
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 1956	368	chrome.exe	28
PID 368 wrote to memory of 584	368	chrome.exe	29
PID 368 wrote to memory of 584	368	chrome.exe	29
PID 368 wrote to memory of 584	368	chrome.exe	29
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30
PID 368 wrote to memory of 1156	368	chrome.exe	30

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://microsoft-word.ru
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7264f50,0x7fef7264f60,0x7fef7264f70
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1072 /prefetch:2
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1760 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3292 /prefetch:2
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1352 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2724 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2800 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:2880
- C:\Users\Admin\Downloads\Office-2019-Word-Excel-Powerpoint (2).exe
  "C:\Users\Admin\Downloads\Office-2019-Word-Excel-Powerpoint (2).exe"
  2⤵
  - Executes dropped EXE
  PID:2884
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.hta"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    PID:2992
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rearh.vbs"
      4⤵
      Loads dropped DLL
      PID:2468
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe" x down.7z -p123 -aoa
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Checks processor information in registry
      Enumerates system info in registry
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      PID:2280
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2600 /prefetch:8
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4380 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4388 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4156 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3356 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=852 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2392 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1252 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3636 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5870310308541797137,9732523859494963791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4312 /prefetch:8
  2⤵
  PID:1992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" h -scrcSHA256 -i#7zMap16635:136:7zEvent4174
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:968
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir968_478857915\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir968_478857915\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={befa2411-d3f7-40d9-b4cc-d99c039632a2} --system
  2⤵
  - Executes dropped EXE
  PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
259KB

MD5
d4362817cac005dab473a27a6038dc80

SHA1
decee7d1a55b34974497958ec670a2388351010e

SHA256
9f0a1984aaf5a7e150d0201545f7a1125abee2f8a49b4a2526cd0e326880b702

SHA512
9703f35ad84e6b061aeb219abeac5d357197d99249f5ef83c25ec17816686dffebaf4d479e8c0793db79b4f8f84ed8d4075a128a7bacd816106b7884a522154d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
259KB

MD5
d4362817cac005dab473a27a6038dc80

SHA1
decee7d1a55b34974497958ec670a2388351010e

SHA256
9f0a1984aaf5a7e150d0201545f7a1125abee2f8a49b4a2526cd0e326880b702

SHA512
9703f35ad84e6b061aeb219abeac5d357197d99249f5ef83c25ec17816686dffebaf4d479e8c0793db79b4f8f84ed8d4075a128a7bacd816106b7884a522154d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\icon.ico

Filesize
227KB

MD5
6493b7fe33da27c1667114e6c0da8611

SHA1
e47cfbf1669093a2cc01e6a5ebe342ef8ce6fcde

SHA256
6162386bd8e8ef7afe542d7c1fbbeb8f40e8d827776846318ed0fe6c8b4596e4

SHA512
a644f859ccce1c9de6eb1db7bfed52e43bfa9010c1f35d2bc502f828961c7e09854808622d19c184b7f5b4f810ff7bf20d2fadc6d19bcefdb67cab9d76f36102

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\img\checkbox-on.png

Filesize
322B

MD5
ea20e46198c3ca6626eec3fa37d6b824

SHA1
921634f8d376ba02447cc4e42a96b813f542978b

SHA256
153a80697e8f09e72e6bc44119972c270debda5d27f77aa9a9fc591f9c1f5314

SHA512
9455c771451943bd09f3d6263ddd8841df8b23fbd37d73ac9416f6c538503b0ecfd3c4d8ee82ad58ad5f080149c1d4ce2475a580d871b30d6f021c2027f491cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\img\logo-offer.png

Filesize
16KB

MD5
6da4b55735705fb3af4ffb43c27b198e

SHA1
e294bccd5d8c84f462cb66111c0665725ca308bb

SHA256
4ffde006f415cfd2db1cac6ff5201c16a64d6b6093016ce5f38ba75eeab38fa4

SHA512
104cf7ba29ea3b8e4d62aa9069deffce76e15796bbb3926ec87899d95c3e0f0506a873a7d6053ddc60ddedf8e0d127b4ac71acad71f20ce9e7352e9ad91ce3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\img\master-logo.png

Filesize
19KB

MD5
c0cf9793239e50af68e8a7ffe8ea4b46

SHA1
6d14449aeca33b3049bdb8138f298cd56f0f3626

SHA256
7330029da2aad750624212d03b5131eeac7d009cd0aa46a26767c7012bcbaed7

SHA512
5207b12e029abdc2a3d9d66b49b11259cc346602e0fe07660b479129b1f293159a51d55543bee98d4014e2a1586d3599a44e0e91bb9f2f32d89e756e12825e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rearh.vbs

Filesize
199B

MD5
75c62279d60e70609183d5b30bfad773

SHA1
f1b563e1373fa4f3b7afb851cda0a0556ea7852b

SHA256
ef6f13313adb466d447336f492e8d16ce9e38ff3dfad589c6ae47fb39010c373

SHA512
fa3d08909f36e46d1b1d7cd3b36907c668dda42f6467d2d3af265cf5aa0a7b8acb4dac4a5f3ce1dd4bc5343a03a8c71414c355084f15b18f538655cadff4a6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.hta

Filesize
3KB

MD5
1ac2937b34ae58451284b2ce968b691f

SHA1
df296fc5df4a1a3d75a8e0dbbc1a947e77a57ab0

SHA256
1f8ba352a66f321c3216177e1adc60989b15b7a3d866c20f602aacf076bcee1b

SHA512
91ae4de133fa98b9e5e452762a1eea2f9e4b934c00a8ca9454a321a8dc70eac7d20b8a250c0fd403f1b03efcb8cbd73090b0c41fdce6a90f75f2bd00310f27d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ya-page.html

Filesize
15KB

MD5
e77579fec46c697f43dd91b19e1a90c0

SHA1
fe25e46f892b7d00870eedd2a456be1586dd3cf2

SHA256
18327b81e8961ed2376ff22c1ce5006d9fcb3d7d2b0ccd1656459be122e61010

SHA512
9796629cb38aa0f1ed56ecc538b9ad2754d017f74dceb29eb27a13261d9c3b8231df8ecaf3e2851ac81ccfa8716a8417bb308512e25b2d06faf2feed501b3f8d

Download Submit
C:\Users\Admin\Downloads\Office-2019-Word-Excel-Powerpoint (2).exe

Filesize
9.6MB

MD5
69851e18392c229e6076bfba29d4187b

SHA1
4489d97ad89cd34d13ff75aa9930c80f31e2db33

SHA256
b3ba9c8f2b2f12ac8b6434b18fc9a4824fd3988ec9a88623db11428059e373ac

SHA512
e87cdd15c8d5da14b663b2a2057a0f8027dd77eb8631bdb0681bd45f2352c4654523570d5acb078a4ea50f651478eed1bc397c7e2b18773cc8776d2f5b170ebe

Download Submit
C:\Users\Admin\Downloads\Office-2019-Word-Excel-Powerpoint (2).exe

Filesize
9.6MB

MD5
69851e18392c229e6076bfba29d4187b

SHA1
4489d97ad89cd34d13ff75aa9930c80f31e2db33

SHA256
b3ba9c8f2b2f12ac8b6434b18fc9a4824fd3988ec9a88623db11428059e373ac

SHA512
e87cdd15c8d5da14b663b2a2057a0f8027dd77eb8631bdb0681bd45f2352c4654523570d5acb078a4ea50f651478eed1bc397c7e2b18773cc8776d2f5b170ebe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
259KB

MD5
d4362817cac005dab473a27a6038dc80

SHA1
decee7d1a55b34974497958ec670a2388351010e

SHA256
9f0a1984aaf5a7e150d0201545f7a1125abee2f8a49b4a2526cd0e326880b702

SHA512
9703f35ad84e6b061aeb219abeac5d357197d99249f5ef83c25ec17816686dffebaf4d479e8c0793db79b4f8f84ed8d4075a128a7bacd816106b7884a522154d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
259KB

MD5
d4362817cac005dab473a27a6038dc80

SHA1
decee7d1a55b34974497958ec670a2388351010e

SHA256
9f0a1984aaf5a7e150d0201545f7a1125abee2f8a49b4a2526cd0e326880b702

SHA512
9703f35ad84e6b061aeb219abeac5d357197d99249f5ef83c25ec17816686dffebaf4d479e8c0793db79b4f8f84ed8d4075a128a7bacd816106b7884a522154d

Download Submit
memory/1628-84-0x000007FEFC341000-0x000007FEFC343000-memory.dmp

Filesize
8KB

Download
memory/2716-79-0x0000000072FC0000-0x000000007356B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-78-0x0000000072FC0000-0x000000007356B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-82-0x0000000072800000-0x0000000072DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2776-83-0x0000000072800000-0x0000000072DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2884-57-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download