9f874d738291a1eb1e519f68a999d0e6b59dc57acc57d652447fbb3f695a222a

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LOADER.rar
Size

9.9MB
MD5

53647cd383eccea76f4dc800fb51c722
SHA1

3ae7d6f2401da7addfc11dc479dc412ed83bc8b5
SHA256

9f874d738291a1eb1e519f68a999d0e6b59dc57acc57d652447fbb3f695a222a
SHA512

7176fb1299f26300e352807ae9b578868b2637616c401f0fdc849c78d753c2784c81a38d855b8122d6290ee4b4f4ee8ae7945a787193a3149b48494cb92c36c2
SSDEEP

196608:mzZzIuUK31VFpqi4q1t4R9Gsux765h9+eRXUfMHaGWsdgBbFMf3Nu:mzZzIuT3HFpj51o9nMuXTlBWBbFMf38

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2700	winrar-x64-624.exe
3860	winrar-x64-624.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133432242021596881"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2916	chrome.exe
2916	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4580	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
4580	OpenWith.exe
4580	OpenWith.exe
4580	OpenWith.exe
4580	OpenWith.exe
4580	OpenWith.exe
4580	OpenWith.exe
4580	OpenWith.exe
4580	OpenWith.exe
4580	OpenWith.exe
4580	OpenWith.exe
4580	OpenWith.exe
4580	OpenWith.exe
4580	OpenWith.exe
4580	OpenWith.exe
4580	OpenWith.exe
4580	OpenWith.exe
4580	OpenWith.exe
2700	winrar-x64-624.exe
2700	winrar-x64-624.exe
3860	winrar-x64-624.exe
3860	winrar-x64-624.exe
3860	winrar-x64-624.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 4956	2916	chrome.exe	95
PID 2916 wrote to memory of 4956	2916	chrome.exe	95
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 4852	2916	chrome.exe	100
PID 2916 wrote to memory of 888	2916	chrome.exe	97
PID 2916 wrote to memory of 888	2916	chrome.exe	97
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98
PID 2916 wrote to memory of 2484	2916	chrome.exe	98

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\LOADER.rar
1⤵
- Modifies registry class
PID:4268

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde3f29758,0x7ffde3f29768,0x7ffde3f29778
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1924 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:8
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=644 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:2
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4808 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5092 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5100 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5252 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5596 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:8
  2⤵
  PID:352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5732 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:1
  2⤵
  PID:460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1692 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:8
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5676 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5900 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5368 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5316 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6140 --field-trial-handle=1996,i,12455806704275893078,15550171697616070852,131072 /prefetch:8
  2⤵
  PID:4280
- C:\Users\Admin\Downloads\winrar-x64-624.exe
  "C:\Users\Admin\Downloads\winrar-x64-624.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2700

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4988

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\be58547af7e2455bb3e19e1767dcb056 /t 3932 /p 2700
1⤵
PID:4964

C:\Users\Admin\Downloads\winrar-x64-624.exe
"C:\Users\Admin\Downloads\winrar-x64-624.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
cee9e48999862e6041e29972076aad44

SHA1
8ec6754b5ac3ce828e82e143f3d70aa7dcecdcd0

SHA256
54dd42fb8222c82daaad5554316f642c2efe1a6db99c3e5a63be4ef8d65c731d

SHA512
05da0c633f34a0a5afdc33507ee515ff4a7da853f83e8a0df22432894dd2c02e7be1c6dbd21f576eb21dfe7b543f2285a40c7356947bfce3dfdb3476fa182a71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
09189385ff4c7f54d295ad4224400714

SHA1
478cef4686c3949cf3fcf3a0ea7c29a00fdeedb9

SHA256
f30a7a9eefb4bf321bf0274cfd95a76ab787d903fbaab43591663010fc590552

SHA512
6887d94932539e051b04d4f2643062fe9a23564f9e510c172abf46faa8eeeaa2c2eb534227942636c7830af20ca5d48ac8a3ab4cbad854b15d53548523ac34fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
65b0713e0d17a635b59c35ee6af6c4df

SHA1
4a490f867b098325e01e8bf47305df548a766720

SHA256
252f230d8d6441b4c80d4818ff54d84c1b633e478d742a99373296ff05370c57

SHA512
2a7af21e3b57c5125f21df46bf16188628c14696d2a906391cbfa6bbc433023a5b826a4b716352efd85e2253ed6666d4077a9a7b24adf53096a4b2e7f983fdc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
ed6a8770622b1d330990f35ce33f1e34

SHA1
7931b794828753b155cbb14c4ba900f300406384

SHA256
6c7f57ff59cfc8178c5cd4a8b102dc27977a5c827bf1bae9cf40d8b03aeacf2c

SHA512
95c11a6b161f7c9bee26ebcd7e12646259efa2cbc82a451174b6bbe3ec886c4606fe7ea7a4bc71dfb16f46a23ff665461a8c994f09ebb512d33cfc65626d160f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e23bacf9eeea0235311610a601ddd9b4

SHA1
2f9e5c039e77ac0303eff96289d7b6f6b1058383

SHA256
46cc8da79dd4f921fc5a383aee645ad4e8679956cc539f1c2424b4d5733f1a01

SHA512
7de4cfd63c8d52de7550304ef7a6fd4f91cf9d228a42c451177a3f5ffff3ffbc67fe1c360cfcff863560346b3f2c67f15b433b7bba7f5d54e5a21db1e4d986c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
87370d923654fdce16ee2c675e140ca2

SHA1
c85676ed044c8ce31d52867993ce0bbacf9512ac

SHA256
056c7a635505dec8bc755c97db2f1c7db6c6221ceefc764fa23e42b4405e5636

SHA512
27dae2f82211e4c8386edb96d17ea30925f7f0d297e3589d7eada7d6ca4e4bc4d6a992c318ad06a3a9d6054d4cafd0f48eb532f13153b117f763cc2ba8d48483

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0bf749fe301cb75d853807e6030828b8

SHA1
15917f7fa3335cc235d94f118cd9174b978daa02

SHA256
b21e2a372f18fc30441c7b9bacbbca57cdc7d8aaa17dde004cd1161aedbbb2d4

SHA512
540ef356deed8b3ce5490c81de3a19365ae6b65f23580960373435b84ad9dd35ea41ba4dcf41406092ee642c5600ae4e6bed88e36552572db03d8c4e324d9ff5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7e84891bd50dbcc8b2774e98bace2fa0

SHA1
35bdccb9a34f803cb30c7932b7256f5b05100d01

SHA256
9bcd6dfab4faf5988bf57baaff33b5cf2a142684babdca38a1057b4ddc9ae06a

SHA512
3e7e79ae0cd3c79434973dd43b85768ad1a8ef9acdb377bd4231d59e2ec4e872709a2432f392fd6158fb8e4767b7b223094e7174403ba750a74350ca954505f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
217KB

MD5
50b41208b54504b808495cbfad43f98a

SHA1
f23b17637baed468c6acf0b7d39b5786cd19c757

SHA256
bb7a8166678574a0ea1b2ec23e91de30620871d74a87b7103daab5afd25cba7a

SHA512
fa040619b0f6acb11ac4e6e7ba7de083005bcc6d67c1823d834f69fa0236fe3a3c6cc7e77ab5831353ab3d2c4684129e9316b9a09fdf9f42f7798732673d2fe8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
217KB

MD5
974cdb134b35b87c9dccaa0f84c03f36

SHA1
a2e1e3decc2606ce71799801928c077eef44d7c6

SHA256
2f4d0ab1b521f984d9063d0f935bed5441fdbf943c2c3d7b17cad31f4bcfa84b

SHA512
2044ceb10a08e04969e37fd67bb7a3d892843fb86ec900d45d4eb6d9b6752ef7accab8e36bc2b2f57e44f30bff06eaa9f07ce5d265f0c10fdfdce36880cdc03d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\winrar-x64-624.exe

Filesize
3.4MB

MD5
15596b41dba42cdcce4f677fbbc86b6e

SHA1
1ed1e69e72028150f8562bff5ca1dd745874329a

SHA256
377abc9d367e61cb5c4761bf48dcfdf5bcd3822f303e0f972d7f4c8295a2ea79

SHA512
d4e0d64f71027ecc6d85479542ed682359b37446cb1dccce5fa2972f152e27f3cb91a8ec0dc61270bc40038751a58982d4678efb929a3bc6d3546e072f51a9f2

Download Submit
C:\Users\Admin\Downloads\winrar-x64-624.exe

Filesize
3.4MB

MD5
15596b41dba42cdcce4f677fbbc86b6e

SHA1
1ed1e69e72028150f8562bff5ca1dd745874329a

SHA256
377abc9d367e61cb5c4761bf48dcfdf5bcd3822f303e0f972d7f4c8295a2ea79

SHA512
d4e0d64f71027ecc6d85479542ed682359b37446cb1dccce5fa2972f152e27f3cb91a8ec0dc61270bc40038751a58982d4678efb929a3bc6d3546e072f51a9f2

Download Submit
C:\Users\Admin\Downloads\winrar-x64-624.exe

Filesize
3.4MB

MD5
15596b41dba42cdcce4f677fbbc86b6e

SHA1
1ed1e69e72028150f8562bff5ca1dd745874329a

SHA256
377abc9d367e61cb5c4761bf48dcfdf5bcd3822f303e0f972d7f4c8295a2ea79

SHA512
d4e0d64f71027ecc6d85479542ed682359b37446cb1dccce5fa2972f152e27f3cb91a8ec0dc61270bc40038751a58982d4678efb929a3bc6d3546e072f51a9f2

Download Submit
C:\Users\Admin\Downloads\winrar-x64-624.exe

Filesize
3.4MB

MD5
15596b41dba42cdcce4f677fbbc86b6e

SHA1
1ed1e69e72028150f8562bff5ca1dd745874329a

SHA256
377abc9d367e61cb5c4761bf48dcfdf5bcd3822f303e0f972d7f4c8295a2ea79

SHA512
d4e0d64f71027ecc6d85479542ed682359b37446cb1dccce5fa2972f152e27f3cb91a8ec0dc61270bc40038751a58982d4678efb929a3bc6d3546e072f51a9f2

Download Submit