9e0b03707ea1bc578999cd8328f801c2bc682b3ae8ffaaf2d9feb446a7a4a342

Analysis

max time kernel
299s
max time network
218s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EMERGENCY.url
Size

222B
MD5

3f65bdd0ebd345e5d86d26e34600ffde
SHA1

59e06109eb344c379be7047b2117d8baad7af4dc
SHA256

9e0b03707ea1bc578999cd8328f801c2bc682b3ae8ffaaf2d9feb446a7a4a342
SHA512

99ac3bd04c7046301523e143f4d3da9db970880e6863f2538d35ecace4c4bf124d7fe16f82c437c7d740bc6af23a8fe6978701bafac51b25715e9cc36f4291be

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2252	winrar-x64-701.exe
2752	uninstall.exe
1460	WinRAR.exe

Loads dropped DLL 48 IoCs

pid	Process
2676	chrome.exe
2368	chrome.exe
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
2252	winrar-x64-701.exe
1148	Process not Found
1148	Process not Found
2752	uninstall.exe
2752	uninstall.exe
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
2080	chrome.exe
2080	chrome.exe
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
2080	chrome.exe
2080	chrome.exe
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259417229	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Default32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Default32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-701.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	winrar-x64-701.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WinRAR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WinRAR.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.001	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files\\WinRAR\\rarnew.dat"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,1"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	uninstall.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2080	chrome.exe
2080	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1460	WinRAR.exe
1916	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
1460	WinRAR.exe
2080	chrome.exe
1460	WinRAR.exe
1460	WinRAR.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2252	winrar-x64-701.exe
2252	winrar-x64-701.exe
1460	WinRAR.exe
1460	WinRAR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1780	2080	chrome.exe	29
PID 2080 wrote to memory of 1780	2080	chrome.exe	29
PID 2080 wrote to memory of 1780	2080	chrome.exe	29
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2496	2080	chrome.exe	31
PID 2080 wrote to memory of 2736	2080	chrome.exe	32
PID 2080 wrote to memory of 2736	2080	chrome.exe	32
PID 2080 wrote to memory of 2736	2080	chrome.exe	32
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33
PID 2080 wrote to memory of 2768	2080	chrome.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\EMERGENCY.url
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6c79758,0x7fef6c79768,0x7fef6c79778
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:2
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:8
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1460 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:2
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1204 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3268 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:8
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3552 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:8
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3500 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2492 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4040 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4044 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4100 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4140 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=696 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3348 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3584 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3708 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4288 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3444 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:1
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4076 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=3408 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:1
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\FREE.rar"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3364 --field-trial-handle=1284,i,8080402193339863739,2016935138755825606,131072 /prefetch:8
  2⤵
  PID:2176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:748

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2252
- C:\Program Files\WinRAR\uninstall.exe
  "C:\Program Files\WinRAR\uninstall.exe" /setup
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Registers COM server for autorun
  - Drops file in Program Files directory
  - Modifies registry class
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
105KB

MD5
b954981a253f5e1ee25585037a0c5fee

SHA1
96566e5c591df1c740519371ee6953ac1dc6a13f

SHA256
59e40b34b09be2654b793576035639c459ad6e962f9f9cd000d556fa21b1c7cd

SHA512
6a7772c6b404cd7fee50110b894ff0c470e5813264e605852b8dcc06bfaeb62b8cc79adcb695b3da149e42d5372a0d730cc7e8ed893c0bd0edb015fc088b7531

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
45KB

MD5
1c44c85fdab8e9c663405cd8e4c3dbbd

SHA1
74d44e9cb2bf6f4c152aadb61b2ffc6b6ccd1c88

SHA256
33108dd40b4e07d60e96e1bcfa4ad877eb4906de2cc55844e40360e5d4dafb5d

SHA512
46d3fb4f2d084d51b6fd01845823100abc81913ebd1b0bcfeb52ef18e8222199d282aa45cae452f0716e0e2bf5520f7a6a254363d22b65f7ab6c10f11292ee2d

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
316KB

MD5
6ca1bc8bfe8b929f448e1742dacb8e7f

SHA1
eca3e637db230fa179dcd6c6499bd7d616f211e8

SHA256
997184b6f08d36dedc2cd12ee8dc5afb5e6e4bf77f7ab10f7ade9eefdb163344

SHA512
d823f2c960a4d92129b9bda0f4f9195d32e64b929082b5efb9149546b5053021255d1dd03cb443f0a03106314554f76b94173e280a553a81e4ac2ac282877973

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
3.1MB

MD5
53cf9bacc49c034e9e947d75ffab9224

SHA1
7db940c68d5d351e4948f26425cd9aee09b49b3f

SHA256
3b214fd9774c6d96332e50a501c5e467671b8b504070bbb17e497083b7e282c3

SHA512
44c9154b1fdbcf27ab7faee6be5b563a18b2baead3e68b3ea788c6c76cf582f52f3f87bd447a4f6e25ec7d4690761332211659d754fb4e0630c22a372e470bda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\9db8dc98-0d80-4170-9e9d-498d7b9605ab.tmp

Filesize
282KB

MD5
f7db645bdb961afdbb61332d79111c8e

SHA1
51a27f2dbb9a5ab4a6898e11daf9e16309437aa2

SHA256
82dc4d028d3bbd6b6fc65643c83d3bc211ac4f12b731651fcbccb67c0393b206

SHA512
d7f9bcb3ebfadb64609f7724d597dc3e321b2d1a65f8afe2d358929b7293232f7165d9d4bd1524902f81cfdabb2715add274b380cc33981a6234beaaa4b9be62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
19KB

MD5
8aa68b8dd90b7b474d9d743ae9585513

SHA1
27d41f0c4cc7783d7113d73ffa816c442b998a7c

SHA256
edacc6bf1bcb20f5533d8aa59b9d478795bdf3016931ac63e4396012ae0954a8

SHA512
2956ba7edfa41ceb108f1e43754624d9d7cc6cf2fb161a3ab4bc00fa143695b290a29fcb05d8bf0d8eb9860dc2b4ceac2fd0096873db357bf69c56d7462ca4fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
35KB

MD5
3f0a3329015911236cf93c2b20ceb263

SHA1
75d560d378e180108d86409b1bf8ecf63da04b90

SHA256
c097c93282fc1f37a00b96a9fd68a3e6a3d76177747a1bbbcd32495cc5f20e04

SHA512
d2849e06aeba4c125b1be57b0a688e00c326f651750c77dc2bf9967e944d0b7f550309498d4cd95819484a5c3b6d2352d5786f1595e040f6b0b058b5d94748f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
29KB

MD5
5db139256bbb2b2b76fa8bea3342cc70

SHA1
516d1f3ad651614cb26f0c20a5139dee15de28f1

SHA256
fd0970a834fa7345db0a0721473f8a8ba11e174aa004d6a4dd410003d3f3d1c8

SHA512
b7f9cfba1abcb9781240c3b8aec3097b6818a27f3d3a6e3ee7c5a584eca1be16aae17ce6bef108c20d36f701842b9d7f2ecabaa01bd6f9a9eceb32315b37e170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
141KB

MD5
6e64a529396354c4c7315eaf773f3ee7

SHA1
4a6f76f684428b2c65a170518607b46dd479d148

SHA256
d681d16e0e71325ddfd93ad12025b3ea4d5d2a5e7b8c4bc0ba8dae7b95aca6b3

SHA512
4b1abc4bcfdafc70541e2fea60df08b13045a6270f4440979b3bee3706638a93829e49c3d5e7eb098429a0f7af6c31ca3890a71d776674a18fb4d7ada94a854e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
21KB

MD5
6facc79f6cd8bf7faabef4e10c0378e3

SHA1
d6f21d215eb457509b8dee6c13b1ec4e25fd3b6c

SHA256
94519548151f8ef04815e1f02bb807f9430b31a2259ac1a6f8e27f05c13ac0ed

SHA512
79ab3c5e93f14bc6c16a6140f43f45c5daefa1047531bef1ebe4be2d385f098ee4a711f9a7c7e6077c05be4e760157c10feaa34bf8cf06c263b2435b5f2da37c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
54KB

MD5
806d1273f2a7702b8be593e82a71ee39

SHA1
189c8aac0f5c610949d81cc1f6e9ab72d47d36f4

SHA256
9e064a173bbfa4092fea520c8f39cba4767336400388792d52ea2d2084020b39

SHA512
14605c165d26e1a58dfb23aa1c59455e235d0d59b0cd3b8be2157962e364c4211e296c203ba19ac520df62b86f3a6c2822d828bf9dde090b8888dd43aa74a548

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
28KB

MD5
2e023a843ea2f5b2040177e389a852f9

SHA1
71d94ce3f9164ceab5bf7236ef71d527ddcee100

SHA256
63cde3a79566b37a672fde354b720d899536ab8269d7afb2ae2fe60179509e0b

SHA512
e7667a4d46a41332aba1ea4d5867143ac6d43be54532ff009a8a7d8bdc8e284488657619fed6db9f9c03b15e955eab53066350114f1db0b34be830d3fd4e3786

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002e

Filesize
19KB

MD5
d41d72406bf403e2a2d1ec60ef889531

SHA1
3af9e732d1366595da6737bd0f943df4704ac4ac

SHA256
913bf99a86dde22866e137811794ce0a5737a1741583c2e06483c31a6b43629c

SHA512
e1268f335a51062f1d59dd392e13730045cf0b4eac1eef48659f280330a0c280aa3d28064a94918acb3b1c6f6d53ee674f9ecb51eb0e78729672205c25f490ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
78e39ad6a8ad6e79f63d4d93eaba76d0

SHA1
ef581f90ab594ecec46d4a369e71ebe85c387fd2

SHA256
6687cf5c38ff7153606d70bace1cf6c2d9227d7d39782cea0b6ff097ef5e4e8a

SHA512
8731e43f51a971f834e4a364642acf8b34ce50fa6d171a490180f7f4ff99d4a248754095110d2281aa00be21f17dba72a6f452b3309677f14641d6d6d54f57b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
42fc6c9fb69d2c8dbb702c63ad718974

SHA1
92b780c82e6578d16dc527187b402ef11c69ed29

SHA256
91a1e4719c22872c9edbdbecc3081ec976b57e60124bacbbc4afa79a30485d52

SHA512
2945e0c9db282f88193a66a01045b38959c15db4da69a3ae52e3f4327d8cf7ff70d2daa8bfda6d20d89d99ac6befc6dcdb1e1f1881b8735633d16f2367e6c234

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
526B

MD5
82157987228121220a6bc70ee2f36139

SHA1
3fc54551fa739a1b277a59481934e6db3f369224

SHA256
4fdeb4286aec2344d0403a5499eb9916f7d20a65ed998d08dcc8992b4a51da8b

SHA512
143593e72836f01c295cb077901141bd0b0ae8afdda3a5d321e40ad7698daed30676ffd84e7b65b41f7aaa33817bf0876db69d20a9920215427d874875f904a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
526B

MD5
f04154000624109d56aea7998c7769d8

SHA1
7d3881c51c6443d100024210d49a0834cd323a18

SHA256
617e52b021edf62bc1e8834510589cfa662eac3752b44fb2ca299e578de21bb2

SHA512
046170df4dfab36aa9394d58799c5e6b0c27035f3f7462bc9b0e9dcbc06cc0336b473f8008ee6ec31949b1d6469df9927e2ad6b98c867969a2992f036900895f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
526B

MD5
4fcea341619479706a937cc2ceb36e8d

SHA1
9ec8d330d81766e2819d9d3bad2ec27bb32da6ca

SHA256
bef8866df691e2403dea08794ee73d566643662fe717d59f0662f117495592fd

SHA512
6a1cde77da81fa7bdae7865f53e88e8cf0520e002ead7880b89766cda7b84aa5d4993424279d4628a4e87edd2948da55fb93db893a09b1be0b9e409f2ba238f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5de465a3e6e364ba90de3ad97bf68efa

SHA1
e2d0976553d51359a3d0a620e9a579f22506425f

SHA256
06c18515d87ed858c866bcd0feafb5730c2ca13388f94493acd846ec0c8fb094

SHA512
f5cc217ac713c06e26b2c0598bf56c053d1e6a92d0222b71fe1750518427677a8c807c7c800a7279721540d0de4f8e181943d35b49940c776df7d36dbadf484a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f20fdd5e20114995762133e6fd5e3562

SHA1
346d4720adf3c4d57dd219eeb48f9949d2552590

SHA256
85a977d6bbf41b5e145f59ee634f4b92f006aac7936196b3fadddacd27225210

SHA512
6b2c1aa8b53268a177dae2271510b22e3466b7572a3a9a39f24c331c8e71ba2e4eb6c1d623d2072247f9887bab48ca373857e19f7073c4ce124d4b26e82c090d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1d82cf707f7cfc4d620230a7a42c71a2

SHA1
42f4a3c30846f35b35e7d0c52c67697efee65ad8

SHA256
970cbefab8ebf54d81c4baf76e37ae2f6f4a328655f69f3b7f05592abcfdb75f

SHA512
3b1898e9aca014d9260815afeeb73c14cc1528373895a3b2b242c23f7064c1c615da5403e0a762765f31614cea59ee87f01ce032119916891771f6fbe19270ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d05b288c7799cff675ce900552295573

SHA1
11e805ef35f64b44de5b0c877092cfb1c045c20d

SHA256
8fcf2c1f527d7f4fcb4f275429260377a8e281ef886cd70d912ec3b77a03426a

SHA512
5df7ea484ac10f1f700cbd669d73e79b0adec3b35657dcbdfc1ac646fc53a34981fa9cf96dc2d7db04b3bb03644c3c2955350eff66240bae9a86119cb8daeb36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
887ba3cbcf301e22b65c6a61546bcb03

SHA1
5eb5a9ddd614c3848e86d1d454239922af00a992

SHA256
78ee88bf715f6306b52adca1a3f23da6aaf5a500c63d766462159d50f599b31c

SHA512
b14d12ed4239f4ce987a17bb95a2bf3bf57d8d9cfce0a5fbf7dcaaf4eba7154f154bc98ba9e6ec63bb5674e708499fc7532e9ffd907096a1e5e2eebe5404cb20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
282KB

MD5
a403396288adeea3b612e286058324ba

SHA1
19315744a06e29982182464060d51717fa19139d

SHA256
20de4ae6eadd5bc05cbc1d8693e05d77d76bb93a5bfee8c2a1afc0c7527587a8

SHA512
be83b7291d86e972dc17e8a0c16ccc6e6b45997ecdf5a5984bbc0664efaac26c878c3219d2f22505b663a1eeea2fe8183e14453d084ba5a5dcc9cfe135b3edfe

Download Submit
C:\Users\Admin\Downloads\FREE.rar

Filesize
106KB

MD5
0401d8cf4aca20ee770094bd6466dbba

SHA1
312cfede06b5eade485c6a085b301ce65ec723d4

SHA256
9c9f768fe0fa3b7463b84de183265a7d033257eafa4de2d1d75952ea2b135a29

SHA512
ff439e8a13d7962b64f09112abc08b4262d551e28ccb11e2d667aa9e921c4ae1a2effb2736d5826b7659bfdb8bdcc65988a67f1347a311cb4700604f462f2b1d

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
477KB

MD5
4783f1a5f0bba7a6a40cb74bc8c41217

SHA1
a22b9dc8074296841a5a78ea41f0e2270f7b7ad7

SHA256
f376aaa0d4444d0727db5598e8377f9f1606400adbbb4772d39d1e4937d5f28c

SHA512
463dff17f06eca41ae76e3c0b2efc4ef36529aa2eaed5163eec0a912fe7802c9fb38c37acfe94b82972861aaf1acf02823a5948fbb3292bb4743641acb99841e

Download Submit
memory/1916-0-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1916-118-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download