c94ed445611ed35ebbe8c3c2af5c17e20cdb8ef76ecbc1ef535bdec7ccf08f4b

Resubmissions

11-02-2024 20:27

240211-y8tnksdb78 10

11-02-2024 20:21

11-02-2024 20:11

11-02-2024 20:06

11-02-2024 19:54

Analysis

max time kernel
242s
max time network
243s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2024 20:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

winrar-x64-624es.exe
Size

3.5MB
MD5

1da8374156fc6492f06828e55ea4dc13
SHA1

4923d045851434d65ce7c56b7e1bd73a08fc2305
SHA256

c94ed445611ed35ebbe8c3c2af5c17e20cdb8ef76ecbc1ef535bdec7ccf08f4b
SHA512

445392ffca842263310d0f4b8371e0bfd6bcb40d9e846d645c73616b252315b0603d7e538d9e5415028c35f747989da5c14566cf356860304e889ae7f12565d2
SSDEEP

98304:jwBOBfKqQ0K1MTXtbysMqIpmCcBQz/J6+14CeZx1kR7:jw/qQv1MTXhysMs1BQnG1G

Score

6^/10

bootkit persistence

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
168	camo.githubusercontent.com
174	camo.githubusercontent.com
187	raw.githubusercontent.com
188	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	[email protected]
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	sys3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133521556211597257"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2744	chrome.exe
2744	chrome.exe
4600	chrome.exe
4600	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeCreatePagefilePrivilege	2744	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1216	winrar-x64-624es.exe
1216	winrar-x64-624es.exe
2448	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 444	2744	chrome.exe	95
PID 2744 wrote to memory of 444	2744	chrome.exe	95
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 1524	2744	chrome.exe	96
PID 2744 wrote to memory of 2380	2744	chrome.exe	100
PID 2744 wrote to memory of 2380	2744	chrome.exe	100
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97
PID 2744 wrote to memory of 1444	2744	chrome.exe	97

C:\Users\Admin\AppData\Local\Temp\winrar-x64-624es.exe
"C:\Users\Admin\AppData\Local\Temp\winrar-x64-624es.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7dcc9758,0x7ffd7dcc9768,0x7ffd7dcc9778
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:2
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:8
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4640 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5464 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1896 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5648 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5688 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1256 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3288 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1972,i,14935155341955821753,11303361402063828189,131072 /prefetch:8
  2⤵
  PID:1088

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2636

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\2f24fb5bca5e445292efbbd56accf985 /t 2804 /p 1216
1⤵
PID:2992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\Temp1_PowerPoint.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_PowerPoint.zip\[email protected]"
1⤵
- Writes to the Master Boot Record (MBR)
PID:3940
- C:\Users\Admin\AppData\Local\Temp\sys3.exe
  C:\Users\Admin\AppData\Local\Temp\\sys3.exe
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Executes dropped EXE
  PID:2840

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa394d055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
194KB

MD5
36104d04a9994182ba78be74c7ac3b0e

SHA1
0c049d44cd22468abb1d0711ec844e68297a7b3d

SHA256
ccde155056cdce86d7e51dfd4e8fb603e8d816224b1257adfcf9503139dd28f1

SHA512
8c115e3e5925fb01efd8dda889f4d5e890f6daaf40b10d5b8e3d9b19e15dadcb9dcf344f40c43f59a1f5428b3ee49e24e492cf0cb6826add1c03d21efdec52ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
984B

MD5
1af6f18b36d83410981459ec0b479f08

SHA1
6086a8ba447550b4844ad61fccb9674e9cc108b1

SHA256
bcd5346db24d0fefed09c6ee285cff33508c5138096ac62aa08a83132187ca91

SHA512
154731fbfb9e8e91a497353d072c9a4efab0974107d9469759218feff4a260607956495a6eeb28ebba4436380ac17cbc9719d204e492e62ea6ccbaf793679265

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
ac0ea217aa7f8b70ae237b74c856abc1

SHA1
d4f4a0d04f4018acad672326b89aa073d67bc8a1

SHA256
c2f1c5ee8c1529ee64afa33c0d928fb98b6e937576f2eae50c6cd14ab6bb37d1

SHA512
c5ef8d63783ccaec391924c23b34eb00c9bc7d6bacbad0f53225987a70e0e94c4f8d1610e919565e9325a63c7b51f932853f5e6d7e2cf003086931aa4e41bddf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c5f2d0e53c377931da32fe4aaaae3caa

SHA1
8452536bc0b419682386c2d73152d62b79dfea80

SHA256
ee76043e465585385a41f759bb5ad12a73fd7967430d69f9e558224ef0f9fc12

SHA512
bd3d552167ee0fba6abca3b7f0876ddc0184c689b03acf3c0326ebf25a6efc3c6c14214999ae5d8d41368da0a44b1e43cd14b699649957493abcce755677ab49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
6f0a82fee04e02fc90f49153ba9d68ec

SHA1
bbb2006bfb55d45132170a92dfe8929d49c53a3e

SHA256
3bc6c691146beb9fe7631649c9144f7708ac7f34d9d09f59b6fbc7ebfa31267e

SHA512
71a5cbc0ab681810e3408dedc87bd6f9e64590e50e4c1cfc49253ef843ac8c251134ca690b87a3293899496d5eeda447b1fc7df2155fe66cceb7aa2a52cb953d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
88dfee9932e7c996c36f61efef310d0d

SHA1
f8a610ad59fb7f7b73f435ec87107e1dc8620a4a

SHA256
acd8178b8c277de7f45af48487052a217cf7ebe76bb56d0ac27db43afc3c6f1c

SHA512
7c7be3932cdbe820b8ac1fc86ed9db6b192fb4ff734eaa23cc37a8965abd6c8e849cd4fc020055aa7c8a9e218bc65e36bf089c69192ae1ca63466b6a518fec03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2c254c794c76559e5d2366deb75cb0b3

SHA1
1a69e3c49df25d8c84e8eb5c3874d5f273146435

SHA256
03c8bde065cf71538c3af4b6d5bf12bed2397d7d8116933656d1ec656ddffbcc

SHA512
984e50468590b3dd742c7fbea376f13cc865ccf89218f3ddbb4f2b37d5022a04f7092c6e8d1fcea45f3a53456478d1df95a3dc034c6140ef886324823fae5ec5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4b3d0a40ceef5408497d2f87662031e5

SHA1
4809640e957d4a88743331695b3bad59bc1b510e

SHA256
140c50fffdc8724a63878e720f0124315c3951967ec3b8e4b81dfbeba59a06ac

SHA512
bfd85c2b58d1ebce920a0e20f580ff3a31ffcf152bc709bd40814720b017b29cd71f30a8ebc5642fdfe9fbbb08fd5278ceec0df5b4cd31e14d9f43ed13fae778

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
34c5eb3a53290141dab220f098c173b1

SHA1
06ece63b06a9066aa42677a984d0a6ef9e3f0aae

SHA256
402abd1f95b2774c2ac3a06ed8214ef31524157dff0b808a98fb12de5181c964

SHA512
45217506f6f2e7bb48160bd37f6324ea6f65a780ad3935a402f8064aeb73dae02962e6e4d614eb5e11290da1d3e37032fe8d23578938bf61ce5d9ade34eef4f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
f817ee4a105e97b36a0595e1b5685197

SHA1
0d7121e3d5e046e2b35bbd040a11786cc23a1e0e

SHA256
7c84c53e48c7accedb5c035991f1113301215fde15306beae5d5cdd06a3d4fc1

SHA512
dc463616c8c734af6d9655a64af619d974c2fadf99f26aaa794111adc474022741cdf335eaf3081b0582e638b3f318df76d6eae0292d0ad7db293f280989d31c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
7027ae261cf17ae6663cf95eff0aee0f

SHA1
20e9098bdde56f778e4f114d0af838fee15bd59f

SHA256
14668c867870fafb4d7ea50abe9c602e4b15ec391c4020a8c89a6716746bd1cc

SHA512
41fdd3bd022898ebd59a3b0f7ffb8c2689e76b23b73af841ffb40fda278d1367f452b6fe3ff2b32e9296ed1988f183443308dbf840121f551f1064c0ddb074fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
a5e4414f057b0d87cb92a56cc861d967

SHA1
dec37ba1caed9c2735c7779d958bac5645d608b4

SHA256
04908ac8ec4ba2121577b3df34b66a28df662b10e8350d9e6dcc63363db0a951

SHA512
1fea47ffe62212a83433cc2a466f6c7b298c488bcae6344a60ead7bde411cc87e9e8d88577efce09e3834c24ddce7c42c02d4b8fe5df447019cc161d2c69a898

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bee28e374ad467f28fd267530479d08c

SHA1
7a0eea2bbdb99f329aabbb7271896591c4b66984

SHA256
22e9288f66ec87379875b5984f31361af43e9b6f0476b1604bf3870680687162

SHA512
d2a0ed366117b221347be376febd91d759a2b6b560450298b7dad32d90e385b3145bfc2309b42f165cfc5f215c483c6686a65c8b9e56e7f7e0f23b38d5f1e721

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
db810cb21c88623af772f553acbf40f3

SHA1
845113216b85402bcaee11f61eca007c3efa124c

SHA256
90032445d69e33318e9e5d3547792bf16939d1d5d7b3f1032d68b868ef2d49bf

SHA512
910f109031f705ad3954f9569e93cc2e0c5e8d745feb47861aca8d54d72d9c1896ee1f4380a95ca4422207a00ec01be2dc5405c5d55fcc642d71af1965bb7d74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
534B

MD5
32448d7980b2ab8d5af5d288435eaaed

SHA1
09129fae6340ab3469a65705627c7a84751e7017

SHA256
bdb62940d45f797ad3d52e96adc0b8b65d239afe9dfff418c69463bdb45d3f2e

SHA512
36f2bbfd53d34733bc2dbd8c6b274a86fbad268174566686880cfd3bc3b5ab77c7b93eef56217322164646af4a5305d6da979c2539ea885ca9ab241dc5db171a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1a560b072990d1e10cb12a8fc8b51404

SHA1
b7447112403eee675ca3a2f09a7618504a707433

SHA256
081a1fa050fb543c68be8ed191f545d598cefcb3625d4ea809f19750c5210212

SHA512
ad53b1e6433a20d518409bb18def82d47c37564e3de2cc753946db0313e6f0efb5781f77738f744c0497055ee1e233158bb06119e499f7a036efab9c036d13b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9c474820c81d0a50d3519a6301c8ab8d

SHA1
d1809884ed5a9fd7642c7957f9a89ff220e81a7c

SHA256
a369a30a54a5a2c6f948d01b77a29cea5b39e2bf10c9da0d033542f59aa63348

SHA512
a674299e5f6ec2c4e3c54b4900022257d47cb03ac3ce0524877d4e6c43007cd801b80a140be90ca5b87c708a7f805bd4960944ee548801860c9cbc5586ce5ac1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5e86d4f90bd1e893f92b9f7e54b6aeb7

SHA1
184a2dbfbf864c263275232b19d5c8b7ce79f470

SHA256
94b6935ed2e8f50cf4fd8d8c4575e6af373dc3e5f14fb39040aeabdeaab7959b

SHA512
c056474692ef0e21e82c0e4301e219ea1f9aa7b039c610ae99c3dd7053b8c0121d65ac7ecb35b4bcf31c45f11d519883ed5d02f3fbd24526fd805daba5d24437

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9aca39daee4c9aa26d3827877178559f

SHA1
214fe0fb3b6d1fe42313dfadcc80500e1e41dcef

SHA256
2cd83b30a1d96d86aa7f03adcb15bf10a3536eed5fdeca1729719c6c2c692edf

SHA512
639580f5f634ff3f924acbd5058b167853d0ded92ce4f19209e0716259b6797d60a1a649014fc64e11ef8994fc4dfde76bc995d77d93628889f2e8dca92c4047

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ec5e19ead4bc746ac656fce374ae06de

SHA1
a8486a007ae750cd1d6b5a5e59482176440849a8

SHA256
42e157a0163b448fc5e04d2d5746a295df7a979041d597613a090134ba192163

SHA512
1721571be6c47534957e219c1567e67fb84e8db9586f3aeae7e2c1cb103a5cebe7e1a09a3d64d0aadc40b08c442af9e805239da38ec29a964c95772a47782ac8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1bf70e5a973407c06af016a9307a0fad

SHA1
e93677ae8dbe45a1d1d7ac58efb43eb4d3b7e221

SHA256
e244e35772efd0744eac537d8f2eb51b4e8e809e50a499f28361ea5e8b24fcea

SHA512
aca3aae609eeee2ea64ade8f4d11903825f5440dfb3227a6dae28bd953c758292501e397e81b9827650cab4522d38f6ee1d343c5772543ae8b4bdca0c8ccb19a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e08b70ab0971eea0e9cd735078edf472

SHA1
8bda2ba115c734053cb0e338fe47731da9932275

SHA256
59e20cf5c7a5ac5d15ca521a3549086b6e624be4118a372be9f7ba3d208f7256

SHA512
b70799fe218b002b0d37b5c618e6707232afc35f586c4a23abe4f324842a717aa69d27a2afff69335416be9b2f4d94aa37989b17d9dc70c0b2fa90e1dd2d4a85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
07754bb4a0e89d212c1a6f450af083c0

SHA1
acee8b7f6c92b9f1f5f6063cd956c6b00d54a7b0

SHA256
b32e9dfb0faa87903d33bc7f2c237af812aa328cf1d481eaca0da34d055964bd

SHA512
20b5992eb7a1304081cc256a0a69914fafcd2eef50b4e64cda91ace5b610ac34163a5f72092d033d15413e73360c853df7735a9c24d4331439bf2f5e30015550

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f8d1bda4380e49b4ef7b65649b2e0587

SHA1
bfc4b35014b3b7f506ce258f7681e36bee972538

SHA256
0c351cc4382bcc217d51b12f2955c4a695ac02f4fa0223663e5ecb3ce15885ae

SHA512
ca1c65c34c1f0e5fcf71d819b921329804d25b0c609f58873d97e97e309e6748a34aaa9cc26addad5347d9e379f1bbf67c6129b4afa4802239074e82b451022b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
854146e0800819e2e47110c2bbaff6d6

SHA1
7c2ab2c3f2401ad9a6613e2b0f625e4513bd3db9

SHA256
9b67000ce1353608c8c9f7c16c99e74bfd3553507ceff2279a3e881682356ad4

SHA512
38928bcf8dab31f446ed2ff2ecc245baf2f226020c1c6ea63241f5b249e1703f3fa0f2625fed32717c153068c0a49caf2d9f6f572ed81f7ff0372ea72937f097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
fda71bb6990648679a68dfe559cc112d

SHA1
bf6a68fd7266fcef6f069853274d917d31c0f051

SHA256
a9780df79795b7ec0a4757fe6e5f1fe9437c8c4bec4c28902436f8f557a645b5

SHA512
f6bd3643877e64af252b0f81dd625f9636938eb2f3962f54e65d3be3fef3c49cec5524bdb1d2e72a30457e5a668b2756b759f8b76a11b9eb485be458d2e8f283

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
986612d14c6cdd6e6ac75f85e251c53a

SHA1
c7b907c9b6e238b45f3a7618bbe7dad24b4fc20e

SHA256
257a1dc2d656a50537621b14acacfb73a5039d2b1d15aa52e747e7fb7a588d68

SHA512
b8817b9831ce7064b14427e72e3e56e4c416be68356a5e2436ea1fc7fdf12ebfbdb185eea92561d5b95083a90eae283eae83cb1d4f9d2c830c69405e120d39bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
239KB

MD5
80acb3d40dff9280b569a1b3cd88afb8

SHA1
7c96ed88c8fe79b8c20e4178115755582a72afd7

SHA256
1a1c7d9cd5e52ac1e5ad33fa378e2ad4c779f08634373b5c6d23326fbb2e28ed

SHA512
6bebb667b9f73c5af2fe810af3196d01eaa7d850a6390fbbad9a0e6a3ed774a2e6ebf21c5667fdf4ff5b336f21b3b511795cef4c886662e19f2092670811110b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
239KB

MD5
7c763aa370279dafd3c1ea33da92e726

SHA1
18278955bfda579abba29f01fa84c2d728aad830

SHA256
5da570e2ac1062c42ff24f398079d27aff8026eac7a4c9ddc44f580e3c06630e

SHA512
b450b30fa7cf85c433160b22a29e5b47fbabb91b64900fa39b16b3ebaf6c111fc0516a4331a5afddee9b0120326d6c989db2179f6d045708b0a39c73bd10af1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys3.exe

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt

Filesize
80B

MD5
34e19002be90417747f58e44cc1700ea

SHA1
6833d1e76b4e78f5a25cc9e74df2505b8c2956d2

SHA256
18cba779ba620fc897cc5adf01a88582f240765119e1e459da76709454355b06

SHA512
1ed2cec9f6c56d5d6cdd16a89b23fcabe0f3906a8924ad7f005f3fa1904b26d412fe76b12eb846ff8eb1ce092c22dad173741d43daa54160ef3620acb9df8133

Download Submit
C:\Users\Admin\Downloads\PowerPoint.zip

Filesize
66KB

MD5
196611c89b3b180d8a638d11d50926ed

SHA1
aa98b312dc0e9d7e59bef85b704ad87dc6c582d5

SHA256
4c10d3ddeba414775ebb5af4da5b7bb17ae52a92831fe09244f63c36b2c77f34

SHA512
19d60abf83b4a4fe5701e38e0c84f9492232ceb95b267ae5859c049cea12fee2328a5d26ffd850e38307fb10cb3955b7e5e49d916856c929442d45b87071d724

Download Submit
memory/3940-663-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/3940-669-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads