crimsonrat | hxxps://www[.]mediafire[.]com/file/ilpe5kavsmnv81o/Anti-Scammer+Toolset[.]zip

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe

Executes dropped EXE 6 IoCs

pid	Process
5288	WindowsUpdate.exe
2144	WinNuke.98.exe
4440	NJRat.exe
5364	CrimsonRAT.exe
5064	dlrarhsiva.exe
1156	WarzoneRAT.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1156 set thread context of 4072	1156	WarzoneRAT.exe	182

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
4428	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133327433656251499"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1080	WINWORD.EXE
1080	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	chrome.exe
2440	chrome.exe
5288	WindowsUpdate.exe
5288	WindowsUpdate.exe
6116	chrome.exe
6116	chrome.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe
4440	NJRat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeCreatePagefilePrivilege	2440	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
5288	WindowsUpdate.exe
5288	WindowsUpdate.exe
5288	WindowsUpdate.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
5288	WindowsUpdate.exe
5288	WindowsUpdate.exe
5288	WindowsUpdate.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 4136	2440	chrome.exe	86
PID 2440 wrote to memory of 4136	2440	chrome.exe	86
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2500	2440	chrome.exe	87
PID 2440 wrote to memory of 2304	2440	chrome.exe	88
PID 2440 wrote to memory of 2304	2440	chrome.exe	88
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89
PID 2440 wrote to memory of 4132	2440	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.mediafire.com/file/ilpe5kavsmnv81o/Anti-Scammer+Toolset.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff986aa9758,0x7ff986aa9768,0x7ff986aa9778
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:2
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1256 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3148 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3284 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4856 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5140 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5208 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5380 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5376 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=6012 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=6124 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6504 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6484 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=6344 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=6828 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:5448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6244 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7152 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:5828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7320 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:5840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=7332 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6468 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=832 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4348 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=3372 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=7060 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=928 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4968 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5700 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:5476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5564 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5600 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:448
- C:\Users\Admin\Downloads\WindowsUpdate.exe
  "C:\Users\Admin\Downloads\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=4708 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4856 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3424 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4724 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5344 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5820 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:2076
- C:\Users\Admin\Downloads\WinNuke.98.exe
  "C:\Users\Admin\Downloads\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=6880 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=4688 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=6056 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=2932 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:5900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=6316 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2800 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6376 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5596 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:5496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4652 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:2628
- C:\Users\Admin\Downloads\NJRat.exe
  "C:\Users\Admin\Downloads\NJRat.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:4440
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=4924 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6128 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:5972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6816 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6308 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5740 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:4308
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5364
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=4980 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5160 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5744 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7280 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5780 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:5756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2800 --field-trial-handle=1792,i,4293182219088140273,9745037051697261547,131072 /prefetch:8
  2⤵
  PID:2228
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1156
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8212.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:4428
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4072

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

System Information Discovery