59c74f45889b604c8e02c25a4823d8e314b1b4046e90059e86cf37066dd812cd

Analysis

max time kernel
1799s
max time network
1804s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NanoCore 1.2.2.0.7z
Size

162KB
MD5

63ba13bf2ddd20be9a1415b93339cc39
SHA1

ad759db50ef788cb6d8ff9fa7bae45908f7e70c8
SHA256

59c74f45889b604c8e02c25a4823d8e314b1b4046e90059e86cf37066dd812cd
SHA512

8352b10f54698d9eec1d8ec04265c709a83f94411fb8fb5a5e9510b84113bc846b0922a55dac972a95020357c4bdd0b26ecb462a4a6c182b14b2e1beec13e408
SSDEEP

3072:e9LyHmlMyebiCHNg4l83alfPfkzw92NaxcB0R2+Zn3WTtY+zxjL9uC3qwZ0y92wH:Rjoq62n9ddKM2vkm0aWyRv3G9qvZJT3T

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

winrar-x64-701.exewinrar-x64-701.exe

pid process

1472 winrar-x64-701.exe
5696 winrar-x64-701.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

125 camo.githubusercontent.com
168 raw.githubusercontent.com
169 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1472	winrar-x64-701.exe
5696	winrar-x64-701.exe

flow	ioc
125	camo.githubusercontent.com
168	raw.githubusercontent.com
169	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616282705888780"	chrome.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1644 chrome.exe
1644 chrome.exe
1716 chrome.exe
1716 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

1644 chrome.exe
1644 chrome.exe
1644 chrome.exe
1644 chrome.exe
1644 chrome.exe
1644 chrome.exe
1644 chrome.exe
1644 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

chrome.exe

pid	process
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

OpenWith.exewinrar-x64-701.exewinrar-x64-701.exe

pid process

3820 OpenWith.exe
1472 winrar-x64-701.exe
1472 winrar-x64-701.exe
5696 winrar-x64-701.exe
5696 winrar-x64-701.exe

pid	process
3820	OpenWith.exe
1472	winrar-x64-701.exe
1472	winrar-x64-701.exe
5696	winrar-x64-701.exe
5696	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1644 wrote to memory of 3328	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3328	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 3968	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2552	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2552	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe
PID 1644 wrote to memory of 2196	1644	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0.7z"
1⤵
- Modifies registry class
PID:4180

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1036,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3868 /prefetch:8
1⤵
PID:1624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa303cab58,0x7ffa303cab68,0x7ffa303cab78
2⤵
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:2
2⤵
PID:3968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:8
2⤵
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:8
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:1
2⤵
PID:4624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:1
2⤵
PID:2944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:1
2⤵
PID:5204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:8
2⤵
PID:5284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:8
2⤵
PID:5312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4652 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:1
2⤵
PID:5552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4112 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:1
2⤵
PID:5888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:8
2⤵
PID:6072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4796 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:8
2⤵
PID:6092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4792 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:8
2⤵
PID:6100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5412 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:8
2⤵
PID:6108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:8
2⤵
PID:5400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:8
2⤵
PID:5536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5460 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:8
2⤵
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5432 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:8
2⤵
PID:3964

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=1148 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:1
2⤵
PID:5364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4792 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:1
2⤵
PID:5232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2648 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5684 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:1
2⤵
PID:5656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4264 --field-trial-handle=2012,i,6492757238663202884,12032148082921753683,131072 /prefetch:8
2⤵
PID:5632

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5696

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5140

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\9eba13383c834d809595155b2faf2d58 /t 5076 /p 1472
1⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4728,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8
1⤵
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
4e1956cdc319812d08510ba24693d975

SHA1
c8ca31598321c6583be37f9d8989634b4f38c056

SHA256
92ec5609a43e6dedc51912bf2a253f4cea39b093cc5935d11890bc45eeae7fa8

SHA512
302cef4860e2b223ce5493d05cc34c4763ca1d880cf574fdc48c729d4760aa61f94458b25f17de06f26d6208f6925d9c3655c986ab48c95909b8b3b3a9dc9ea2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
9543186a9dfd8ce8696c0ac0f445fbdb

SHA1
27119ae9b064b70e1d6ae45a160841a14e813ff9

SHA256
f0ae8dc8c154f7f052b79773c63a87bbea40aa1bb9edff3be85bec50e8e33f15

SHA512
df4fcfadbd5184cf99e1c3523870528a06bfafa39e32cc75abb37314c81d3fe61e719da3ce6bbb18d6a5bdae8d63f8a3eedbc1313ee859ddde30237b3a2965fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
bbccd22ab97603bba0f3ff7e50ddfc91

SHA1
5184a896b18e766b796375eabc93e1ba31e8ed31

SHA256
d3fe9aaaf760d0733e675708274e32c32718b9375191c6ec33b6b45d453cdb1f

SHA512
ce2e76e7502118ae97c7caea5a4f349c514ac1521df5d280a7e1aeab3edbce141bf86aa83e0da048323129470ef422d2328dd8b79f783b1393b2359ae922116c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
93896ca8890991d93bb0a3e60c8d5971

SHA1
6ae8731266a01dde777a8163c9538cb288a52199

SHA256
74b17dc863dbc7088406fe8b94fdd396203eed1b4dcaa0e7a41d45f1e3b59830

SHA512
9e50d4c0912a4c32d15c7fca491b1f95d14ce3bb14b70b09895ddf54d00fce38af86aad62789d1ebfcc4639fa42322b6cf88f2aee970c86c8ddfb6492d778fc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
c8818aa04203740000350bad4f348493

SHA1
2628d251dd884ed5a555707c0f6b86a2f7dfc0a1

SHA256
34f9d4cce2bbd042b842b87b8adf30005da2abdae3a22ca5ef09822f7a8fd584

SHA512
1272569883742b4d3ed85790bac2aedb4fd15a74124f329dc05e5bc43c413fda68f534d23163382804a6603b8fc6fe1c3be1db08db1d4443a4b342a25e800d98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
ad23d27b349bc08a1019cac6ed1f0bf6

SHA1
d59e1eb53b569b14a9ea92f3e5cdf56cf1886109

SHA256
b7d4a4ad3399b71d06cbddf7bb135aa3fc6da447f6170121a0f451eac77de3cb

SHA512
b41577a20d005455d509f9c7457b254898a28b4b274ebf0567f5c4fba04d15596b111450e40d8eec43087c82d47c8342ee3fe375584a1c547fa5f920dd16c1e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
519B

MD5
6ce433919f8a45d6e21727c94a21d3f3

SHA1
801eb2a90366fc7fde7a7a96cf42899ea6942e13

SHA256
5b5aff2452066042d8234148d3bf52e551604bb5c8850750dd36ed5ebadc7b1c

SHA512
ff190fbaecae58f1b3f321e834a5f5f82e888054b01a5ba14005dc0d855a7bb7d54ce6294378da6aa3fce247915f13bbacdbd95e9a03ea7fcfb77c5e899bb28d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8586049716f8dcfe76fbd0319bf811ef

SHA1
72155d544fd7fe81212c5bdb1fbf3b28663496e0

SHA256
5979fcc9b12a6a5a3641d278e4dd836dc40e539b8837dc3cce97393c7fb81529

SHA512
f86e2851e8c6eaca7dd4485d1bac9515a8cf93a9f1f0e090da8f838581a10f0f3baa466165751c30d1d6528ef2888debe7a69acf091655e1e2fd9b58016300d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
0ec5e582ae3fd70f1ba22ef954061449

SHA1
f7c9b03bff9872def3009b0bab5786808cef330a

SHA256
70bb7429ae5e4f7e74eddc98886535adca4ccf6d47242ec3fce4afc1f7de4a3f

SHA512
6a4b5359d7a85d80a4df46dd3165a47e7703d2696d2575e55ec3bdae77a2b92cfd83d4917c83c9a5f31713887b0ca7a3e0ef190918ba48ad793c8730b9b980ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a14fe362910cd5cf2bba810861a40752

SHA1
3bef06e15b6143f8850b9c5224cc31451bf8d604

SHA256
aa2fcac2308151e07d72337ed96edd2f3f47d62ea3bac3562953ed399815c0c4

SHA512
a55ab706f188e862a5c0e323b8e0f59052ffd864dd9f9e3f030a831b4cfbac6d45501162d8444fe3c0ac3c3b5597e772c5ae482c6d4fcb2589562bbf7c995b20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
fac109bca496bd5725ffd57ddcf87096

SHA1
e1fc46bcebc929c97e8737484ff7dd4cad9e2a8c

SHA256
965f546f407dd1a21f69d0ca3ebdb510532d09cfda09101765ed931583d71dc3

SHA512
3df8ef49e6757030e7c35d3224d3ed5eacbc83c2e8bf6f89b5edfab817774ef3386dcc706c959f5c8240cfd4a36a818e7ae04cbfdb6061eabddd115614c62ff7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
a7b494720b69e86c82714f4a583b36a7

SHA1
36246d6a40a1a6ba238756df687362a4a64bbeae

SHA256
e44666f26d4f6999087b30a69d2f3e31b1abe4427cb1e0f136e1abdc24eb4cdb

SHA512
f908038280dacdc22c0dc1f5ab10c4d88c403849318b775d2725482edad5431fc1bc1837c8c9921f3255d34825b88a95442ce566f53a8474359237b6ed585794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
56446d3cef59d3474c76a19ba1f73eef

SHA1
f57920b51356c4b962d0911618fa9c26d9121168

SHA256
73bc937d383697d689af019fc72e2c7fc5c1a0997b19d18e94e782fd50fd5cba

SHA512
39f75790747f813bad7ec2eedebff1e5bbbbc1674182b5ea7ec2b3ec22c9cefb4bdf9f1d9ad58f361789d7afc3b44073f081db55979e898945760d46a4a7ba9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
2c3885da59f889d85418615a60e1f6a8

SHA1
42d445af7b99db41a40bd7a54047705352551d45

SHA256
ccb9714ef417bcceafdc378457951ccf1866c5e9287dd97139befdf9883a644f

SHA512
60099581f083fa97899c2b970dcf36ca26f94bc637b1287a97be74349dc61acb80308f61b004faf4f644c44c18e8c8c1df09c801d77cb087d3fbd97e94289b2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
8ff007b4f9db409b0e6e7ed8d0063009

SHA1
b373fe895ffb9229bf72b1fe9993c5d9bd8ddd3c

SHA256
0f523ed628e3a876f22d315ff5a152b222374ebfeb2bc0207818cb91eac531ed

SHA512
6dc7d17fbc97846f924b3f325e29123537404b58b6792de4ae3aaf692c986a8617d492b75edb62f41231f3591deba48c3f76b6b8a9c1156d42c996259ef0e8d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
9971025a1d9a77e4833bf7ca65c2ff37

SHA1
679c6e3824d6470d06b7b9260a3822a31f02f24c

SHA256
eb4c4afd0f8a76daf1e8021e2830c937f9316e55e02d0b83c3cf42eb2824d4ec

SHA512
7331251de8b7db4be636748e4d381e30ab758e10a53317ec47db3eed0e9ab05fb01f7f1e98ca8080a58a93e1c87dfdbdef3a047a242c2724fcf96d1ab32fe7ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
6078483f26dd975b22a88cac1e3b3841

SHA1
31f5e626c880831899994f43a964250b650b6bb8

SHA256
526fd66b7fff576555144a004fd3ea5bb5476823c02a546afe71e2f7ca087704

SHA512
bdc11f55e491f9475f4d140f3c1cc576f828eed2ca97ddce206b16d2fb32f5974e76ea8f91cf48ec5ac8ea3b85c65f3570312403f084ad6bdd0d1c9bb60d3af3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
fb2224863b3b87091a6ca8ffbd4653b1

SHA1
22f45cec9f16cf8edba6ef5c46614b36d92bb2d4

SHA256
e249d38b2ae5218727c98f8c89747b01202ee55d64efd303db1562057e794798

SHA512
479921267c213ef831f9a8323083ae360ad3151ede0469ed36a8659c21e98548d7f6af2bfb4057b232e49db171c4a78972b40e47b72503dd75ebac0cb29edf41

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 270259.crdownload
Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
\??\pipe\crashpad_1644_JAZDNRHILSQQRYMS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit