hxxps://github[.]com/Endermanch/MalwareDatabase

max time kernel
134s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

8^/10

discovery evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
780	winrar-x64-701.exe
756	winrar-x64-701.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
81	raw.githubusercontent.com
82	raw.githubusercontent.com
83	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1596	taskkill.exe
3032	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2096	chrome.exe
2096	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe
316	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
780	winrar-x64-701.exe
780	winrar-x64-701.exe
780	winrar-x64-701.exe
756	winrar-x64-701.exe
756	winrar-x64-701.exe
756	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 3532	2096	chrome.exe	81
PID 2096 wrote to memory of 3532	2096	chrome.exe	81
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 3468	2096	chrome.exe	85
PID 2096 wrote to memory of 4376	2096	chrome.exe	86
PID 2096 wrote to memory of 4376	2096	chrome.exe	86
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87
PID 2096 wrote to memory of 1872	2096	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bbaecc40,0x7ff8bbaecc4c,0x7ff8bbaecc58
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,1246283508695909801,3118827533873076012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,1246283508695909801,3118827533873076012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,1246283508695909801,3118827533873076012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2264 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,1246283508695909801,3118827533873076012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,1246283508695909801,3118827533873076012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,1246283508695909801,3118827533873076012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4352,i,1246283508695909801,3118827533873076012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5160,i,1246283508695909801,3118827533873076012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5244,i,1246283508695909801,3118827533873076012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4584,i,1246283508695909801,3118827533873076012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4696 /prefetch:8
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4552,i,1246283508695909801,3118827533873076012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3216,i,1246283508695909801,3118827533873076012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5452,i,1246283508695909801,3118827533873076012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3832,i,1246283508695909801,3118827533873076012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:316

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:752

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:780

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\b1674f50ee94488ab2d52a0e72f088c6 /t 2168 /p 780
1⤵
PID:2492

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:756

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\707dee956bbf45debb0ea71e4112f059 /t 316 /p 756
1⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\Temp1_Evascape.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Evascape.zip\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:1716
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3032
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0f88c00e-85c6-4f59-a07b-cc4d0d59de15.tmp

Filesize
9KB

MD5
ff650be8c6d0ab3537da7d8d16a8ae67

SHA1
544b7e60a0ce23cd241c0bf8df3f4e35cce2f94e

SHA256
083eb2fef9dcc30d7514e4ca4f89ce89be8867420bdc7df2a4288a19d78a4bd7

SHA512
0bfa925ef3619b8b6bfa1cb6ee85f20d6b75a5c69c3075c3627a98260b7c621fa10246fc612aacdd26159e27c3f795fc2990a26621eb17c1fef861978bbad248

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cd5ce85d0ca050d851b9716278642717

SHA1
8d39b99e6e515ea7bfd09a528364bc6f9c69270e

SHA256
ab9a1f0f8cdb1737a1ec3d9f474193f1366bb866c6b43c6de1d48ee1a841d001

SHA512
581500efd16c877bd772cd5cf3e25372e0918d7bbd48c7453a9c2f16ec04dffd728d20c378c74d166340db1a2b4640b901f6fddf0816beb5a062583366529245

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
66b97c9b2ad4413f830fae163c173d8f

SHA1
faf8ad81421ff113bb4e522412957c641057ff64

SHA256
06b434ac9de449d8aeaa49ceebee43d2ff29bbbdfc5ac0514b2e4e1aaa41d94b

SHA512
3463291d9e340bb73b5cf62e70f790a40d6ab5d5a5f77c3eb6405280582e439cc624bceacdf75349b72238b2f2b36cbc11f3f9eaf39465c644fe240bb628e110

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b0a5b63af39ef54e9635ffb4a602bfef

SHA1
ad770063efcad36c35d4e397f8052b739d07a579

SHA256
0f78d02c45ad55c92e4f831866301390f35634a474e3a6d9b59ac69d5fc2b46e

SHA512
9a3af98160d71056d4b82b1cd5c7bab36d7843d9e87c8892f524633a1ab95e7f7e3c8f17b0acfd665d17f03f9783ae00c2e2f0c692d6b20b855fa529ea64fe0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b136a928810bf2ca2efe42293d7ded8e

SHA1
c391769bb360a3430788f2fc978eb0979180e4e1

SHA256
fcbedade5a8fe14a57386443fb9309eeded4025d74925d470838c0f7b77871c1

SHA512
46ce965e4c8c28cf86ae7838aa8fbc92da5482305d2671950af2e6f57b2d6539a14a6f37a8a8ffd5fdac12a28af045dc33f66390563dbac5022b6dc03ac2d2db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5e917647ac1aeda175810b275104b703

SHA1
723526c88085e6d57c1bedb73ce9a56b8f255c86

SHA256
8c1b031d78f4dbea6967f810aa6c666cf0a218c5d2613f5268bcb2a66cc656fd

SHA512
67624a8d224d636352a1933203c8feab095b1357755f69648448b5d63ee13edfb361d59ceca3432fff18be9cdee32792d21bda9d17bc98097462eeeae4fe4c5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
278e5c3c298d7b58b9a05948d3bf5e7c

SHA1
d5cafb94181c2d9397265613c8d1a32eda04fa02

SHA256
f533ccbe90729e3f852014ddfdb1d60a81a879e0ede16310b31d52be714a8d03

SHA512
d9811048cb548093fe47e23237669f2663857141c90f49ce4d79b97e200ad7bc6f05fa8c6ca8583eaab219d3a5b739ce105b95744fe7757d579ab44905e90fb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
43a9fd5be3aba45834e15f3cd99bbbba

SHA1
03e864a9b22ea1485cd1a250d3b9abe04dbcd074

SHA256
c3013258027e56fb43d8f8eb1e8b7cbb3a4b56bead5d7c5b3758f8c74886170e

SHA512
c8823f01790dfe9dd4c42de39b4618fce2c57db372b4ab14925e6ff4d40e8cada6240c80aa31e2a8fb3231a754da8e8a18c9fcdeec162099e03b790aba46e325

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
519d6bd8f8143b7c07b157c098130c5f

SHA1
97dc3c6207e40422dc39f23e242f63b1a20fd660

SHA256
df660cf413ef7d189203350b3d50df0c637f84ead20056f8768d20f2329c925f

SHA512
b68f703ade130acae9a9bc791873cdb1efab10cab026bd0db339141da740e8db594a78cd903e8ac90f6bbb21d8dcf5d2e9fa8f45856704f34501fc2054a26280

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b484ba76480945325fcc720b89961577

SHA1
b6202a2259229b3b67a80ffa321907e9adcd71fb

SHA256
d1109792e54ec4ebc74584925daf208a32c092f37fb614eb3041dec33b89bc95

SHA512
5e7085acedb9707f563dd76903a53c2452b0fa2747fdfabeb24d1d697c075189c26f95f9998a60f0b4bed0814d386dd7dd1d3143a5be093f807aee74755be57f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4aa6649f941ef1906e6f9c817ad029fc

SHA1
fa3b304fb41e1f4f33d8ea97bf59bf9ce550b38e

SHA256
ee96b558769091e878eac8b5ae2ab2c76c05eb6a3f196b2135fc24718a10a3a0

SHA512
b56118e03253169deec8c4e7691d1d37ab0aa2c3c6e5032308832a530194f986b65be722332a0e80bcf5c26ffa6734da912a6504f1c057c4ca72456b885c61ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
77d17555653f2de9db806b25e35d273c

SHA1
abf2d2262f6ecbb5330f4f027b836d85d0811b48

SHA256
50bab30a05e83c3a0be5f15cf484889d138ec3183a7a8f0c5da62dc66888b411

SHA512
dcd4cf14c1df26cbea1a3e27c4a4c5a37c632eb9c10e9f1ca750d89387669c6c72ab14664808eef33eb8038e62ff44b2707a86e7000a107258ce676ff9a28477

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
33bebbe258d3c1cba7f150e028fbb894

SHA1
a75fb78aaf30434ee9953bf7e35e4df320bcdd81

SHA256
783e2ce6d2b934f4d0edeced29334b50393301c7f56eb425c91cc2c075b269c5

SHA512
a35beb2052a3d499241afa942a169264146ce5eddb1e962538973580016934fe6ba3eb32378d3160cac4bf09f40b32fb6d2924cf3ef9ed606ef147e738e50c7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fc677eb659dcd0cbcc41c55eb8c2a2d1

SHA1
90d3b26f25d449bad28a47240091d1b18b496be8

SHA256
064a5b764e99d8943286824477c8452b67424bb4e5968e96350673176f1fd97d

SHA512
f0a35006015e478d2b3ad795d5f3d4c7d7d7e7017eb77fca13287ffb8e02a7d09309a8b28be68960113790079a8922c952ca37ec8458ecee031bf8a7f1d80205

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7108e770d091b91fba542a8370c0fc2c

SHA1
71dde4e4ce8cff15458e042f97e3bc8eaca0ca89

SHA256
d6c29a97e1cad9b4fa0967d210ab7128d820586d6884bccb45bbcd826a9426a9

SHA512
9bee7db802d30856ca585880ac5ab2079fbca724695505b45502b6a5f8a68c4a5b72fdb54f0b0e08dd0a5ff3b632713524eb681f1995a6f58f2837731d46912a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
32d26cc58560b9961613f49a89d80824

SHA1
165a36a2adeb52991e3f6eeb6a975d8bc47ee779

SHA256
4c0cd1dc10fbcdf14a0b1368dc3f590da8200e75848d3bcf002703fe39e2566e

SHA512
42c506ac02b1148b1367bbb782eda021cfe0258a093da3329a48b44edc489f4987e8c3706527be14ad3b72b90b1203abc7084f2d1e988e9dca1b89260ca2138d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
dc37d0104c3b4c206d0218fc10587c43

SHA1
0c5855999a0a28215f8c7bbf5972bda600c41ace

SHA256
d1b265a4a42fc96c2c211219e3344baad4ba35c82c6011349ab034a84335aa05

SHA512
742d68a64205132bb0906ffd9157f700f69dcac2bf011e79adc81c298cb7a0380955c3f713db84c23f14b115694147d42deec61dcdc368511c1b18c23edb7417

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
e945970b661ba3e7d54c5464f1c42c01

SHA1
28f3b6825d982f467f353080dd911ce67ebe064d

SHA256
eaec2ca5bf06fd0366c3c9d8b81643a5adf76fc6378310545b7cdefc2cc0f75e

SHA512
65feb3092c794c6a6cc5b5fcaac5fa810e9a97a73702dcf4a470c249341ec990d54ce5c42363640fc6f4626e8375a6a27002423bdb5a7f396ba27acfe2fe475d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 736433.crdownload

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit
memory/1716-355-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download