hxxps://gofile[.]io/d/AuNP0I

Analysis

max time kernel
149s
max time network
144s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12/06/2024, 11:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/AuNP0I

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1744	winrar-x64-701.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626650417474521"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3168	chrome.exe
3168	chrome.exe
1108	chrome.exe
1108	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe
Token: SeShutdownPrivilege	3168	chrome.exe
Token: SeCreatePagefilePrivilege	3168	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe
3168	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1744	winrar-x64-701.exe
1744	winrar-x64-701.exe
1744	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 3744	3168	chrome.exe	73
PID 3168 wrote to memory of 3744	3168	chrome.exe	73
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 3356	3168	chrome.exe	75
PID 3168 wrote to memory of 4688	3168	chrome.exe	76
PID 3168 wrote to memory of 4688	3168	chrome.exe	76
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77
PID 3168 wrote to memory of 2148	3168	chrome.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/AuNP0I
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff15239758,0x7fff15239768,0x7fff15239778
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:2
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2848 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2856 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:1
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3772 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5172 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5432 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5428 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5216 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5668 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5236 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5548 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4788 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5724 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5560 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5372 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5508 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5660 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5784 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5832 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1808,i,11198518658342289472,17772139646319343681,131072 /prefetch:8
  2⤵
  PID:3220

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2068

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\027c9531-804f-4211-a70f-7a9c9f28d473.tmp

Filesize
7KB

MD5
beffa0f7047b3bcddf108dcef6013ad5

SHA1
1daefb725864032d50a79cd4615c146ff3d19796

SHA256
95e0951e4a6691085d22e71934a34a33694b7d5c4bd7a554e4b221293ce63dad

SHA512
eb370af559e2ca2925363d9eeefbf94045ce1940b72b5a901deda2f034a0881cf9c6060295db01098776db8af8554ce4706848c6ee26bc8985d5911c120b1235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
6e00acee8d58cf957de7ccbdbaafd2ee

SHA1
668701a169b214d87f246fcaa52b57f73cf6f4d3

SHA256
f1295e9c1d91c0b2cb9a11480554ff5a90799280e69ed5725993d895ed3e6f3e

SHA512
91c72c64b2989e47833fed1b6385098afda2cbb8357d2a1390732c9840267e3024fc005a4fec9dfb9e7de3dd1acceda5a49ada4956eaff83a9427120034881fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
16034015f1c524cf8b9252247b013097

SHA1
a484d7c8cf69ceb07b7f90b21b2f97eb122c726e

SHA256
05fe75a6fce1e57acbbb47b7b9f8f510e1fdd93183c9ad00bd0cb7eb12b98a43

SHA512
2611559eb777b29c98342cfdf48cbcaa8e62a50b0b27533872ec537c5eb95ec763c43179f8fa315ad0a0c1a8c2213a021730068c0aac4de3b5b9faea6de244a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
4b02566852b7b3cd110c8049cc9e7e85

SHA1
bb8fed4c557a38b320aa919e2c67f827d7949c55

SHA256
ebabf11abc91ec7547a885628dd0bf00e48aaa5b1e5c1bbfd929ff31b06d0183

SHA512
77ef925087bae1fe6763a5f172e2cba4041f13f9e3e642086d456a0b68476f94c297453e8fcec28e7d1ba8f9b8b6e438c6e7320941f23793ce8a18732efed64e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
649100ee03798fe3e93cacbde8d4a370

SHA1
025d96d73b3ca414441acf5fc421ec6ffbf403d2

SHA256
95751191a5bd1b1b2d3764a10b469036571e746eabe899e0d4b2c0abdecf7de1

SHA512
9b6468606bcade1084661bea3d2fe34da6758cf10f51338a780e4af5613cf7b4c49564b25657c770b2c18ff11ce3c087aee95053b122cb317a22e2800b168593

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
126c145a1059d4025e69898def0d3c2c

SHA1
35e8d50e213f3faed0575b30ef943e4c9f23b594

SHA256
4d4c88f61444ed28ecedd18d1e7b21c461a3256b56174cd09e666303c295ea91

SHA512
53c5a1635a665dec686f92e9a1fdf6d74404fe90f7639570795bbd75af10040a5a730e0b368abbef45e7e26acf8eef7570e0801b35eed547d06199541879d0dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
703B

MD5
7b3491a6ac6032138cb1e0fadd3c6fc3

SHA1
b98b2eca9c79c348cf414c1ab1f68ebcd10a0789

SHA256
bc3aa96c2e76db77d9c7454334dfc78fe715299a2f6161b67eaa8970757fe7b9

SHA512
2b773aff2733bf3bdca173b222eccb027d0714d90658696bc5fff716a9941867236d5d5f12feb6af97a93bb456a29977ead997d7d80fc5e1d86600823c983642

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
870B

MD5
24205eaaf366908157276f7202ef67e3

SHA1
1c40ea2e77f50585fd436e7e65264cb41bf01af7

SHA256
83214a95b2a2bab9746b41cc3ec2b792c275b0423a820ea011acf2cd7cf92942

SHA512
585de705c1a925e9d42305cf68fe45d2ce136445e8fbe8685151b1f655ac00d108e533fb72252d3077ae9974dadbe1f91337f6422e1f2d651ab6fd100606cb0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
870B

MD5
f5c5913ee4fdd3e3353259e6792941d7

SHA1
5b6ed5aa63fc969fd831ba483e2b70c8b833c395

SHA256
49fd70fe0b17c79c8fef68cc956879b5c122cd0d3b3bf7e483ca2eb8fcc9c15f

SHA512
103b19c5415e8ed09aaaddd805a0b6ef687dfc5c3c8e3334b3b05d7b098984f6708068bac599ce988750cee7076d042d8266cefc4e029d4790940fd70d8e5eb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
870B

MD5
017bf7c6e226d499995320f4428a474d

SHA1
35d3a70654e9c4f9b82c4d63de63ce115c14975c

SHA256
8995b24721910bc191c319d27dfaa9c2e5f56652869ac96f4b99e092a56035b9

SHA512
3e6b39453dfa6038a51be602f8807b54c30f0bb37629b46ad2e9a504d9e964a8297b30ffde6c7bc146a7ac67b28cda7adbc10720692a9483c4343d23b7ab658e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
870B

MD5
73c58736ae9a3c250bf95e980c04515d

SHA1
621fe647d618ccb6dc30385df5717e2e6560160f

SHA256
61d0e4323bce271d5770262abcb83e6e463c9fafb810c252d346a7943a1e96c4

SHA512
f674574e3b422a150f207f3e5aa81d293adfc815c87ee88b0b1d5fd201806e2d0b2e080734024af99319a0fd6f69746f9a4ba598884df4b381eb20c73ba3e0f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
870B

MD5
0cf6aacb5cf0163d859021a480afc8e0

SHA1
1afbf6254c643dfd91158d4454d6a015528f6dd3

SHA256
b9cb52e088322a917da2c4b7fc3e495cb28669a663abc3911aeecc50de844e19

SHA512
4f07b8893d0349f0bb3d53f22eb6537b2c69bb3fdac4d236a1de766c2ee27f6452822147bc6e47f96d716b5f72a5a09651d645b00e0f2118c8ced2392882eca5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
868B

MD5
7ab05dd38062c2e7703439003c41f131

SHA1
f3bd11e58128f06c0b116697eafa2ad20266cef9

SHA256
7a5c0cdeeff2ab6ef43832fb176b5b860d82bb36d2bdd6f5d045ff126faa9241

SHA512
25077e652ed8f051ec8e77382c22f2a24058d0a3aeb54d6cbee38c481dec3a042e634fbba584660549d1ea19f3be6c7022604183574bbc3f9a7d142f8905164c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
701B

MD5
d6fec394dcbda42f944cf20ae5edb70c

SHA1
84718a4e05117ba68d03a318e780390fdb0b74b6

SHA256
80cc9c9fdcf6dbcf98f115fd2f1af847c059f6fa33092e5eb06bf76950035f9a

SHA512
a66ba3afbcd8aedf318b3919f1322ea13ebf1ef065030e44653dc84ea04ffaad4e119bb16256dc1f66eeded8f562e76387948c2c6d25ac66e39b7315cf06e661

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a1c829232a565d1472a6956af113d60f

SHA1
3c312dd295751939119751544d8b74bfd6dc105c

SHA256
f641be92b12705bd99e0cd2ba8d6860290902d22212f5772cff3104577746af7

SHA512
3d74f1783cf3a5888716b9bf9556826e06342d8a2f03002dfcce8e06594198e1c30526618e571a18fdc16473aad1c956386fa615952d01288a180ea7e9ec7921

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ad1c81eee5c044b56d5bf0866149a044

SHA1
d2afbc2aee54637b26d50713897bc2ba658a0c77

SHA256
85ded575d0612e1d152617368a5801b47d907b645f43dfebc86ad54a001fb739

SHA512
8e7d766786397155a7232d4af666e2f8117e3810acc80edbc1759c8c21cebabf3e5452a9b7d2b5c5a9e9f0b7537bd92803fc8a3ec8ca1ff05f8f03f8df74454d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7149fe80cd97620a32c5991b833b0376

SHA1
a150a67424b81844038c8ab4684566860d1f37c1

SHA256
c80fe41ee5883f3b6e98224f63294e1abc1f4b55bf081b9b0a845bcd089384d2

SHA512
010355d4f083c864c2859242c2cd7932283d0c8cdde1bfb0221443954efe7276880474097ae8b80bf730507275af3ff047242807115dbd006ec23f99d53054d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3abe08314714e83e4fb21fac6f68ef4a

SHA1
6ad2cb34c40bebcc6058465c42d51db9bb06f170

SHA256
0d859e07ddbfb55d487b82a3262bbfd3c22a47d9479d6e8c467339aed1f150ee

SHA512
0b19d4a97b83ce7fb8a8af6c99df84d67788a6781b43c50cb244f5d592eef1c43838b753c9b567c81401d91aeb17509e221caac9a56324327819036ffe6a879c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
85989b53e698c020c459f7b004e1d992

SHA1
76be37dab876c0468e8297d3d1facaa598c0441a

SHA256
4cadedfaff5e835958318f6aeb958f94d2d5fbdcdd0495e559a8c8136c63d3e8

SHA512
99f438b30e2d8aafe05f3d3dc8caa4fc091314623f02377f7fce8e7476221ccae14c9d76fee88759a0e0f8d6f6a7cef5b6e0f2f156c32f58a33904434a919455

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
69941d76f137af6dd46ff8f11aeb04dd

SHA1
07e8d840f21bbb06bf9bb19524803eac953d1bf5

SHA256
be2f6c16d26d22a5b2de94c8648d1f5e0fab031a88b4c777360a94b67dcaa3c3

SHA512
6aa34c791ba0b72c2381481ee1211c9ea95e650ebb463617ebb31fa3a3ba774b4a26fce3532f106f3700a78150eccd2363a6eed1f98c2303b9f1a60f54f44576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
da0ffcc4f45e73c79cea2edab25d59d2

SHA1
2c9f36a1c7ca869f3c20470f0919a00e9fa011db

SHA256
0fee146e1ab033c6a35ed78b6dff6e4572a97ba2ff3ad760628a0215f7cf6268

SHA512
69444798f8af763c1ad693942fdfc1599e873a8bb140385585fa95318e4ca2c14067661f0d4c91630d20aaf786b1031155153388dacc685b78582a16b36bcf4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
917ea448e31c719284aedb609e2e1eed

SHA1
3f86782b339f247a2c6d998b66db0ec67e340f8e

SHA256
f193f9564bb2a0fbff2cdee34de40c4ab38ee797c9e206e8640ec0d4a26eeea4

SHA512
2b64d839886e87198f48b3d269dc8e96efd8b8d5b8943893fc1bb6893fe4729ba41104f099bb5c4c8c2e7599844c357e83d99b72823c66ae058bcc5dd31ffb37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
238dd26ffcc5d0e6e66ced159918c20e

SHA1
fc988589b40b0d0dc7884a2d7bb12f2fb6e5948c

SHA256
754b5b88081dcbce7e212d3ed8a35f6a935601b721dd3fac48a74295066d3799

SHA512
f1a52ce11fa2569f582639eea5e567c5d994fa33597aa554684483374070258545f617075bc2bdfcd59e74fb42c0d26c49bd4c21dddffa02bc49218a210586d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d716.TMP

Filesize
93KB

MD5
9e20c834980d9f180277d0934dacc036

SHA1
aeb2b0132e2523a4e6c61966a00877c88d21863c

SHA256
916416aed45920312f17e5cd9ccefe6d322e6539b4621cb3b322faf48b091fa9

SHA512
a7a0e56291f7ce9cc18ffe5105070cca9fa9928324fd2e4e9d0df80cc214bb22747b9acc7dbaa991899c280b86d601cca622e0a91d0b14d48657ad42b4d43bf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 188526.crdownload

Filesize
3.7MB

MD5
7d0bc6539b59b0a92d9ce3f8321ceeb8

SHA1
f5e31f3ef051bb3443eee411f3cf98941053667a

SHA256
f23c25880ae0c59b4bc7fa911650c9cb4b31ec9afc8c31f266bccaf36bd4cafd

SHA512
b69a98cdd07208e51e19723aa86e7b02a7bfd20212b0fec5753cc7c312bae740d7d997b4ff386d0112525854aa4780e6f09806eefc92058cd1cb47968803b279

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit