c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

Analysis

max time kernel
72s
max time network
136s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22/05/2024, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winrar-x64-701.exe
Size

3.8MB
MD5

46c17c999744470b689331f41eab7df1
SHA1

b8a63127df6a87d333061c622220d6d70ed80f7c
SHA256

c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a
SHA512

4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6
SSDEEP

98304:6NRBOBfKgQIm9EOTqw8vjh9Ac9nUNupK4hVvcF+yHrAr:sR/gmeOqv7Ac9F0kB

Score

4^/10

discovery persistence

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Default32.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Default32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259434670	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-701.exe

Executes dropped EXE 1 IoCs

pid	Process
1396	uninstall.exe

Loads dropped DLL 8 IoCs

pid	Process
2716	winrar-x64-701.exe
1188	Process not Found
1396	uninstall.exe
1396	uninstall.exe
1188	Process not Found
1188	Process not Found
2776	chrome.exe
2776	chrome.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	winrar-x64-701.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files\\WinRAR\\rarnew.dat"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1476	chrome.exe
1476	chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe
Token: SeShutdownPrivilege	1476	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe
1476	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2716	winrar-x64-701.exe
2716	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 1396	2716	winrar-x64-701.exe	28
PID 2716 wrote to memory of 1396	2716	winrar-x64-701.exe	28
PID 2716 wrote to memory of 1396	2716	winrar-x64-701.exe	28
PID 1476 wrote to memory of 1500	1476	chrome.exe	31
PID 1476 wrote to memory of 1500	1476	chrome.exe	31
PID 1476 wrote to memory of 1500	1476	chrome.exe	31
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2156	1476	chrome.exe	33
PID 1476 wrote to memory of 2876	1476	chrome.exe	34
PID 1476 wrote to memory of 2876	1476	chrome.exe	34
PID 1476 wrote to memory of 2876	1476	chrome.exe	34
PID 1476 wrote to memory of 2068	1476	chrome.exe	35
PID 1476 wrote to memory of 2068	1476	chrome.exe	35
PID 1476 wrote to memory of 2068	1476	chrome.exe	35
PID 1476 wrote to memory of 2068	1476	chrome.exe	35
PID 1476 wrote to memory of 2068	1476	chrome.exe	35
PID 1476 wrote to memory of 2068	1476	chrome.exe	35
PID 1476 wrote to memory of 2068	1476	chrome.exe	35
PID 1476 wrote to memory of 2068	1476	chrome.exe	35
PID 1476 wrote to memory of 2068	1476	chrome.exe	35
PID 1476 wrote to memory of 2068	1476	chrome.exe	35
PID 1476 wrote to memory of 2068	1476	chrome.exe	35
PID 1476 wrote to memory of 2068	1476	chrome.exe	35
PID 1476 wrote to memory of 2068	1476	chrome.exe	35
PID 1476 wrote to memory of 2068	1476	chrome.exe	35
PID 1476 wrote to memory of 2068	1476	chrome.exe	35
PID 1476 wrote to memory of 2068	1476	chrome.exe	35

C:\Users\Admin\AppData\Local\Temp\winrar-x64-701.exe
"C:\Users\Admin\AppData\Local\Temp\winrar-x64-701.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files\WinRAR\uninstall.exe
  "C:\Program Files\WinRAR\uninstall.exe" /setup
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Registers COM server for autorun
  - Modifies registry class
  PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5c39758,0x7fef5c39768,0x7fef5c39778
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1376,i,17404554537797215907,12839276716247698960,131072 /prefetch:2
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1376,i,17404554537797215907,12839276716247698960,131072 /prefetch:8
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1376,i,17404554537797215907,12839276716247698960,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2204 --field-trial-handle=1376,i,17404554537797215907,12839276716247698960,131072 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2212 --field-trial-handle=1376,i,17404554537797215907,12839276716247698960,131072 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3228 --field-trial-handle=1376,i,17404554537797215907,12839276716247698960,131072 /prefetch:2
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1412 --field-trial-handle=1376,i,17404554537797215907,12839276716247698960,131072 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3460 --field-trial-handle=1376,i,17404554537797215907,12839276716247698960,131072 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3576 --field-trial-handle=1376,i,17404554537797215907,12839276716247698960,131072 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 --field-trial-handle=1376,i,17404554537797215907,12839276716247698960,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2248 --field-trial-handle=1376,i,17404554537797215907,12839276716247698960,131072 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2652 --field-trial-handle=1376,i,17404554537797215907,12839276716247698960,131072 /prefetch:1
  2⤵
  PID:608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3720 --field-trial-handle=1376,i,17404554537797215907,12839276716247698960,131072 /prefetch:8
  2⤵
  PID:2300

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
105KB

MD5
b954981a253f5e1ee25585037a0c5fee

SHA1
96566e5c591df1c740519371ee6953ac1dc6a13f

SHA256
59e40b34b09be2654b793576035639c459ad6e962f9f9cd000d556fa21b1c7cd

SHA512
6a7772c6b404cd7fee50110b894ff0c470e5813264e605852b8dcc06bfaeb62b8cc79adcb695b3da149e42d5372a0d730cc7e8ed893c0bd0edb015fc088b7531

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
45KB

MD5
1c44c85fdab8e9c663405cd8e4c3dbbd

SHA1
74d44e9cb2bf6f4c152aadb61b2ffc6b6ccd1c88

SHA256
33108dd40b4e07d60e96e1bcfa4ad877eb4906de2cc55844e40360e5d4dafb5d

SHA512
46d3fb4f2d084d51b6fd01845823100abc81913ebd1b0bcfeb52ef18e8222199d282aa45cae452f0716e0e2bf5520f7a6a254363d22b65f7ab6c10f11292ee2d

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
316KB

MD5
6ca1bc8bfe8b929f448e1742dacb8e7f

SHA1
eca3e637db230fa179dcd6c6499bd7d616f211e8

SHA256
997184b6f08d36dedc2cd12ee8dc5afb5e6e4bf77f7ab10f7ade9eefdb163344

SHA512
d823f2c960a4d92129b9bda0f4f9195d32e64b929082b5efb9149546b5053021255d1dd03cb443f0a03106314554f76b94173e280a553a81e4ac2ac282877973

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
3.1MB

MD5
53cf9bacc49c034e9e947d75ffab9224

SHA1
7db940c68d5d351e4948f26425cd9aee09b49b3f

SHA256
3b214fd9774c6d96332e50a501c5e467671b8b504070bbb17e497083b7e282c3

SHA512
44c9154b1fdbcf27ab7faee6be5b563a18b2baead3e68b3ea788c6c76cf582f52f3f87bd447a4f6e25ec7d4690761332211659d754fb4e0630c22a372e470bda

Download Submit
C:\Program Files\WinRAR\rarext.dll

Filesize
636KB

MD5
1e86c3bfcc0688bdbe629ed007b184b0

SHA1
793fada637d0d462e3511af3ffaec26c33248fac

SHA256
7b08daee81a32f72dbc10c5163b4d10eb48da8bb7920e9253be296774029f4ef

SHA512
4f8ae58bbf55acb13600217ed0eef09fa5f124682cedd2bfc489d83d921f609b66b0294d8450acb1a85d838adb0e8394dadf5282817dba576571e730704f43ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
5d5c18c72c2b43993f1f31aa54ec943e

SHA1
1e7886cbddc4550879696b7e4c09ed8fddda6b4e

SHA256
67b436366a53a3b85a696d2c0780321a64e3876fc54692265d67b4f398af7f55

SHA512
12bb44eb36926c185a145877586e6a2bcabc0f1b3aec076eb51c5d4b771ce42e0b4706fafd2eff0b4201f6f28ac25c173c3fb882c89aeb12fc6c36aecb088e44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
82af5c13b50ee5ea8fcb4e6a4dc9098a

SHA1
3a01c9d095866ee176ffca2de69c6ae595b19fd2

SHA256
730fa2ce4df2cdd46157ba9ec64d7d9c72f1bfa599b3fd6a6dabcf0b388a049f

SHA512
3a6a1d8866361e1cdaf8f44331be7fdd6039933b30e959bd61b5778ac4b164f020f1bd64e83583499b55abbb69b04c8a024918447f14c3b9599ced91bc079fdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
32e8363cb0942dd8e057838970e80283

SHA1
21b88da14f536d8f0732c3c4f23cee0350ce4f52

SHA256
c4d6e98e322368ad080803c68feb0cf4e31a36b51559f0f76ae124399552bfc6

SHA512
fb99a33b79ede2769fe51480fe8d6f5de0085262b489cf72559bf08bc9599de359569d38da73dad403f5d7520e9ccdf8b39a2f88f81f149c9708b5d477b76375

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
92c232f07bc402a83f3ca82336a1018d

SHA1
2158b28e63063e0ebfcbaaf87d3cf5ca11235947

SHA256
093f8eb7c2a0e01432279be9b02b70c21a5f5704120e1b497594fba69696500f

SHA512
e1fe0c964641a7d64725237cdb6231994fc5826e595ef721abacdad7c9fce40b842308cb51928fbad6640b84c289cdd222e4776d4be3cd9d88e83fdbd5a8626d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf781297.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
477KB

MD5
4783f1a5f0bba7a6a40cb74bc8c41217

SHA1
a22b9dc8074296841a5a78ea41f0e2270f7b7ad7

SHA256
f376aaa0d4444d0727db5598e8377f9f1606400adbbb4772d39d1e4937d5f28c

SHA512
463dff17f06eca41ae76e3c0b2efc4ef36529aa2eaed5163eec0a912fe7802c9fb38c37acfe94b82972861aaf1acf02823a5948fbb3292bb4743641acb99841e

Download Submit