7c419b375dff5ab052c86131a714a80b5506f78cfbba3fd7b990afc0a6ff4110

Resubmissions

05-05-2024 22:14

240505-15wpwafd5z 10

05-05-2024 22:10

05-05-2024 22:10

05-05-2024 22:06

05-05-2024 22:06

05-05-2024 21:58

05-05-2024 21:56

Analysis

max time kernel
179s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ForMyFriends.rar
Size

368KB
MD5

e5dffe249ace4087f23b2b20eea988a5
SHA1

9622701158cd5defc558b2c78b3281ce26d42eaa
SHA256

7c419b375dff5ab052c86131a714a80b5506f78cfbba3fd7b990afc0a6ff4110
SHA512

466354de558125d256064abc7b5b7fb7ddb2293be32accb577b31b08c779769a839eae521dd17642b041c150fd3acc4abeea66300c9a9a083b0bad401bfb5e41
SSDEEP

6144:vtX3fnGv4ndmVfh9zppZI6w/ub1OGjjpsV9gBm1Z6CiZE3+WdGqLiqW:vtXPn9nUVfh9zy6w/uN6gBi2E3+e+N

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4284	winrar-x64-700.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133594204443240891"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2956	chrome.exe
2956	chrome.exe
2292	chrome.exe
2292	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeCreatePagefilePrivilege	2956	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3552	OpenWith.exe
3552	OpenWith.exe
3552	OpenWith.exe
4284	winrar-x64-700.exe
4284	winrar-x64-700.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 3216	2956	chrome.exe	99
PID 2956 wrote to memory of 3216	2956	chrome.exe	99
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1796	2956	chrome.exe	100
PID 2956 wrote to memory of 1996	2956	chrome.exe	101
PID 2956 wrote to memory of 1996	2956	chrome.exe	101
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102
PID 2956 wrote to memory of 1680	2956	chrome.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ForMyFriends.rar
1⤵
- Modifies registry class
PID:116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ffc7a13ab58,0x7ffc7a13ab68,0x7ffc7a13ab78
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:2
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:8
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3584 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:8
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5048 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2976
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6740fae48,0x7ff6740fae58,0x7ff6740fae68
    3⤵
    PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4876 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4900 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1100 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1696 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4728 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3308 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2280 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:8
  2⤵
  PID:3736
- C:\Users\Admin\Downloads\winrar-x64-700.exe
  "C:\Users\Admin\Downloads\winrar-x64-700.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2668 --field-trial-handle=1932,i,2031480867686672643,13461589238182802056,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2292

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3296

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\9eba609af1804f3e84ffdb2f31195f7c /t 3052 /p 4284
1⤵
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
296f36c0f3d1798a02d7269cd6874e7d

SHA1
e816325d38c2bce54d59bb35bd7caf73b091d7df

SHA256
6d18a74532045528ea4ad290023f44bf02ad099cec0dd673f821eae71e23dc52

SHA512
4795f5ec22c0a780d3437569e70e67fd0827f0a5e42303a53673aa5ecf951ec54bc587cfbf2e321259816df680f86ee1ed1ba6f3c44450fbe1212bc40994d31a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
5f2999ab74d37d83794b8571fe264093

SHA1
035ef2069e700f8f950f2fb286010a7aff399f98

SHA256
eadd56cdfd6440093b7846e43ef91dd6d7fe70366c32799a4ea8ea03030a7fba

SHA512
07273fa5ff438896f30c66442c0cfacdd6632e22546438599a1dc4c15d44e20ed70d31a99c69cabe599b73cd9db86572e402f9ad1994c75c01e0273d19770270

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ce4fe61c43d22b03fffb437f85cffe82

SHA1
1363bde8f9c8980346af8a3a1c956e273eee26d8

SHA256
8a1a1aeecd19103dc37b5bdfe7e270c2b5f919554d1266508d5a34d30ce89ccd

SHA512
d0bd5c238d5c61d40201009de187d5e9e4b88d7e1faed6fb3b726f6ca03d6db079a39b1db1ff9fa17ee61bcfc077bb72269ad7c005900452b1d4bd3a8c9d36ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6fa661ef9d18acb8aa60e1f3e5095cda

SHA1
85bdc87b1b4718a81b88bb6d32bcc0d70a8d5507

SHA256
980153d7b57224b65a9fbf0863fc20b102f10a8b93ab115b65252aeec0f8769d

SHA512
3ee7cfb40782d7d5398afce2e0cf676a1d6a4154f2b277368f83ac42b161a59f0508c0a13a4079072e43430dfc1c8b58f00a7eb2426e448358fd4192535a455b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
622ef9a0a33399e38a6117400562a0fd

SHA1
38362b3030cc8bcccfeeb41230b112fe54dd69fd

SHA256
4ef569fd43a35fb0cdb4888a5e635b8d9d0ee7142159a5c57093ccfd943adc26

SHA512
8ff384b629e954efef4e8a5417ca0fbe76676cf96096431e468a867116dce71f46d0fda6a8c6bb739ef89223002e0b669819adffb7cdfb74cfd28d8cb3114f98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
519B

MD5
8af4a9dc4cf4fae2f455cc71e1616120

SHA1
e029c71cb35e6976c47ed0f09537f1c55d4c4324

SHA256
a5cf6a57b7599b9cbd40e7fa1ac35d0064e941ec137dab939eff525141d81900

SHA512
e4e0d492c627928e90414c8946a158de98b566df1e5639a7dc8887e90b5f4538bcb2bc12b7d35661a023d3fa30361b2a1517a4cfac1f6933618500ace928a93d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
521B

MD5
e26b5554243b16c48db0472cd66d1071

SHA1
948dc917d917da00422393cc212dfd2a8d9dda3a

SHA256
501d325feffe5b18f665532f91ba7aa220a1f1a202cc56b2d7603a6af6ded721

SHA512
232a7424229139cbe6aa26f60cbb230e2db9339844a389e260a35f2599e2a8bc7bca8e376c9c634dcc9ffdc4b9527c12124ae5399b3e6b1715e0fda606e317d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
519B

MD5
f60ffd2dcd0112c425d9b2279b1f11a1

SHA1
b2348e8dc7ecb8b5eb03fa2447f8e3a2506bdae5

SHA256
baa1be2e4f32f088c4e2a2293bebebc5ea2f983991eaf5d7efe48d2b9b5eb5d3

SHA512
a67eddbf61e405b3e112d30c6867cb556076f132c453d6977b22fd2565f690360cbfd3f7e0bf2e7583f4e03bd10eed9fcf2f9c4abbcaa0f6ff3e9e5c91c5e375

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0de1b232c02fb4f67a26ee6daddf1a49

SHA1
c61c47744c8462931f3ac971852a5114d5ba9c8d

SHA256
1b2e9cc2369b8e078e28d7f80be2fe6ee9403257bbc61365e408648feeae2aec

SHA512
3c03f08d93e7fb2472be09149cba03ebfa20d5787acc15d007ac71dc3afc8db6b56faa960395d81607c0b631621088affd8b8a54d3b0af4f5c32a62393011e13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e4b62d65d3bbab889183718e31b53d32

SHA1
524b941ca956965cb450cca72d39bc8b80306ba3

SHA256
cc01596c3135c304517498c31ee22cb5b58d6cbad6bc9aba2a345fcb1e79bd74

SHA512
f6acd56cb292e0a05cbac7efac639d7fe88e3abc172f6da899df627008159e63433b691f10a4817683aa904c0e7134c107467cf9bb2a6d8abe2c60cd41709833

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
341c0cbd879c721177889cab5235f570

SHA1
3beb14c1735ecee0a6ac576ad94e16e6006cc00f

SHA256
844bab0ee6317d9e8c1966b3891651cdcb1c9edb5f1c4a2777337db39f2034f9

SHA512
f972585ff1972a3a8d80ef7856867470ed0b4d207d1d2e6766d4b1390e7a03d3ac18cb14e76be0a123fca1a15c29f4968a954e2c2c83593a4d68d551295bc8b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
3ece1d8662431514641995dcc64938e2

SHA1
2974cae25449a2f60768e1a80170818692afd831

SHA256
e32663aa8b60a9c638da4107a901dda9ef0c2e3be76497f5702348fe044af028

SHA512
27b42351a897f22e51a36624f5905e726f8f099784fd963b94cdb048f5266669e94693b1e82f1da10d54ec8403282d8db6503b5e16a8e8eef1c82e88f3c627e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
cf14f4f723f3dd1f5795b358d58aadce

SHA1
8ecf6d0fb52a1ab7a37ced09bee603e4887d7777

SHA256
edf518779ec5127ecc4b895b99155868c8ef5019ac39e686dc207d4e33788e21

SHA512
5ff8f815db9111a284fa9929c19104553945955f32b39200984f4a04b51dbfda24bebb519adca85741b02a6415a58cc5b42a56c50509533cb3e3cb560bb2cd07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
1afe4535563c3f4683d35352446afbb3

SHA1
4211634157a66a027e0dce71e49de806dabd6d00

SHA256
0e656260bf63980f57f476d8f50ac035a12dbd95d12fb5e117ec654a8dd0a6ce

SHA512
2558813dd5924e17303e99498fbcdb58a2a61681aab5bd13116a994addbe69bec2fe971958f203cb0938c204c229761f6f565e3c99a33f084731e60fd0950cb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58f141.TMP

Filesize
89KB

MD5
bd5c86a2460a86b4060749945d34598c

SHA1
def26431a1c94161abe231d191563b1635dd5b43

SHA256
be84928f6b93def2ab6bc1622d90822a3c664f4b07d2b90f39be91fa86eec101

SHA512
d51e1f82c7b355354fc595bedefd154134e2ce97a721474323a0886aaee798b0415440e83758e21a047dd3c885ccb1f8e81542d9a09acefa4df78fce518922d7

Download Submit
C:\Users\Admin\Downloads\winrar-x64-700.exe

Filesize
3.8MB

MD5
48deabfacb5c8e88b81c7165ed4e3b0b

SHA1
de3dab0e9258f9ff3c93ab6738818c6ec399e6a4

SHA256
ff309d1430fc97fccaa9cb82ddf3d23ce9afdf62dcf8c69512de40820df15e24

SHA512
d1d30f6267349bb23334f72376fe3384ac14d202bc8e12c16773231f5f4a3f02b76563f05b11d89d5ef6c05d4acaacc79f72f1d617ee6d1b6eddab2b866426af

Download Submit