hxxps://drive[.]google[.]com/uc?id=1BBxQR1RioqaoNT1LBGJA99dWohXhm-Cj&export=download

Analysis

max time kernel
900s
max time network
875s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04-09-2024 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=1BBxQR1RioqaoNT1LBGJA99dWohXhm-Cj&export=download

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
2900	Ninite WinRAR Installer.exe
5084	Ninite.exe
2588	target.exe
4384	uninstall.exe
2400	WinRAR.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
4	drive.google.com

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\Descript.ion	target.exe
File created	C:\Program Files\WinRAR\Rar.txt	target.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	target.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\WinCon32.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	target.exe
File opened for modification	C:\Program Files\WinRAR	target.exe
File created	C:\Program Files\WinRAR\RarExt.dll	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	target.exe
File created	C:\Program Files\WinRAR\Resources.pri	target.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	target.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	target.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	target.exe
File opened for modification	C:\Program Files\WinRAR\Default32.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	target.exe
File created	C:\Program Files\WinRAR\Order.htm	target.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	target.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	target.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	target.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	target.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	target.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	target.exe
File created	C:\Program Files\WinRAR\7zxa.dll	target.exe
File created	C:\Program Files\WinRAR\Default32.SFX	target.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	target.exe
File created	C:\Program Files\WinRAR\Default.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	target.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	target.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	target.exe
File created	C:\Program Files\WinRAR\Zip.SFX	target.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240646203	target.exe
File created	C:\Program Files\WinRAR\License.txt	target.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	target.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	target.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	target.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	target.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	target.exe
File opened for modification	C:\Program Files\WinRAR\Zip32.SFX	target.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	target.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	target.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	target.exe
File created	C:\Program Files\WinRAR\Rar.exe	target.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	target.exe
File created	C:\Program Files\WinRAR\WinCon32.SFX	target.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	target.exe
File created	C:\Program Files\WinRAR\Zip32.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	target.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	target.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	target.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	target.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ninite WinRAR Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ninite.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface\Misc\RemShown = "1"	Ninite.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133699660337871863"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface\Misc	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WinRAR	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface	Ninite.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	Ninite WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Ninite WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Ninite WinRAR Installer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3336	chrome.exe
3336	chrome.exe
5084	Ninite.exe
5084	Ninite.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
2400	WinRAR.exe
3336	chrome.exe
2400	WinRAR.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4384	uninstall.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 2892	3336	chrome.exe	73
PID 3336 wrote to memory of 2892	3336	chrome.exe	73
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4072	3336	chrome.exe	75
PID 3336 wrote to memory of 4860	3336	chrome.exe	76
PID 3336 wrote to memory of 4860	3336	chrome.exe	76
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77
PID 3336 wrote to memory of 5048	3336	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/uc?id=1BBxQR1RioqaoNT1LBGJA99dWohXhm-Cj&export=download
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9f08d9758,0x7ff9f08d9768,0x7ff9f08d9778
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:2
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1684 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2868 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2876 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3756 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:8
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4764 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2864 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3840 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5716 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:8
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5724 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:8
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5860 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5924 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 --field-trial-handle=1820,i,10976774381286052631,11449259573480607432,131072 /prefetch:8
  2⤵
  PID:3384
- C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe
  "C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\468465e8-6b15-11ef-a2ff-6a02b38d1b32\Ninite.exe
    Ninite.exe "6a78d534328aadb5d9f716b6adf2d0c294a3cfa5" /fullpath "C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\488C06~1\target.exe
      "C:\Users\Admin\AppData\Local\Temp\488C06~1\target.exe" /S
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:2588
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:1048
    - - C:\Program Files\WinRAR\uninstall.exe
        
        "C:\Program Files\WinRAR\uninstall.exe" /setup
        5⤵
        Executes dropped EXE
        Modifies system executable filetype association
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4384
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\MLG.rar"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:2400

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
105KB

MD5
b954981a253f5e1ee25585037a0c5fee

SHA1
96566e5c591df1c740519371ee6953ac1dc6a13f

SHA256
59e40b34b09be2654b793576035639c459ad6e962f9f9cd000d556fa21b1c7cd

SHA512
6a7772c6b404cd7fee50110b894ff0c470e5813264e605852b8dcc06bfaeb62b8cc79adcb695b3da149e42d5372a0d730cc7e8ed893c0bd0edb015fc088b7531

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
477KB

MD5
d36be447f422abc82276af9cb2f2741b

SHA1
f3ba2f58a88086f1b420a7520a5439a9eb851b79

SHA256
82a495858708b726f26cb86e2fbab8df86b9008a671be4c1f6c4f24ed3013735

SHA512
b9f5ffe578185b2f112d0bba21fdd6677d64986445ff971e9f6e8aa87a4684c0722b97a473150aff2742929fcaa79f6e336bd05d462bbdce149d634eb2f2d3d0

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
45KB

MD5
1c44c85fdab8e9c663405cd8e4c3dbbd

SHA1
74d44e9cb2bf6f4c152aadb61b2ffc6b6ccd1c88

SHA256
33108dd40b4e07d60e96e1bcfa4ad877eb4906de2cc55844e40360e5d4dafb5d

SHA512
46d3fb4f2d084d51b6fd01845823100abc81913ebd1b0bcfeb52ef18e8222199d282aa45cae452f0716e0e2bf5520f7a6a254363d22b65f7ab6c10f11292ee2d

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
316KB

MD5
6ca1bc8bfe8b929f448e1742dacb8e7f

SHA1
eca3e637db230fa179dcd6c6499bd7d616f211e8

SHA256
997184b6f08d36dedc2cd12ee8dc5afb5e6e4bf77f7ab10f7ade9eefdb163344

SHA512
d823f2c960a4d92129b9bda0f4f9195d32e64b929082b5efb9149546b5053021255d1dd03cb443f0a03106314554f76b94173e280a553a81e4ac2ac282877973

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
3.1MB

MD5
0d76233931dfa993fd9b546bd5229976

SHA1
ce8de59e2277e9003f3a9c96260ce099ca7cda6c

SHA256
648a5d7064cdf2a86f465ea6b318d0b1ceac905f77c438dac2778a001b50647c

SHA512
dd7b6bd5545c60e9ce21fbde35f20d8807bdaf9e4408321f7f709c9324c719f1a9f68648260cfeb7e5f94f4eabc631dd95e348e55d93b32ea12e899d030b91ee

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk

Filesize
1KB

MD5
ec64fa738050bf4dcf9da1dbb59f8c2b

SHA1
85e1d7b1182f91f3cf7cc93500a72432a6e87f03

SHA256
0403d955c10265cb900e4d2e233307bcf26006fbd5d29014d18e06ff5da1d689

SHA512
b439af1fdec9201b6e59622593424c9517e672f3888d7f623c548645223cbe50b502f8263046aab5f2ab5bd5cfa14b16f0f62c542ce7065a66f508dd7302a256

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
1KB

MD5
80232acf2a1797839968b6f94c5a1532

SHA1
a79596db0899de31ddbcde27e14a32209c7836bd

SHA256
9859e687378e43ebaca50bf4b7d577a54a9e858a56310df1f218762227b9ccc8

SHA512
2dd8d77a1b48625db04747967e3c3775d7d9b602aff80d587b707660f2b2282786167a1086dba323dfec7cd99fea3f77ac5a6179a993683af59a876e5e2acab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
6f4840e2bcc4ce348ddee87fdaa88176

SHA1
c8cd4236b342dc74a6e7495d320028ecec535e1f

SHA256
796012ce1c9ec077b5d9204e7819f3d3448025ceef2e3db691ba129afc033260

SHA512
b7926abcf3592f186568ea0eefde1e23c7093e53e763761f81f075a6e02564a40521b16793e95dde3cafbed81c6e9b6ee78a637ae8681bf809386cacc1beeaf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
2796a25ced5ad7e04fe288925340085a

SHA1
3d595c87e4bb34d2332d60659f985efdd180e4dd

SHA256
6b892e5a527fe49cf09e93e3acac84329d46766ba8faf2b8264d6ebec788b16a

SHA512
e2eef41f691f3194d43910ff2d6a63f4b90ce49070cb497e84bd78ee62effd19cff624dc1ef23b124dca3d4afa59e670f334bdb6c3eb2bbafa41eaa21a8abedb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
434B

MD5
32e07ff6c132959b53ba535b95ee2ab3

SHA1
6ca240cdd36d6623316c4031c88b25b63aac3bbf

SHA256
8fd4f31e5cc82fbefe20354f9873aa0f26216d4b680b0e2cc6a29aa002521a7d

SHA512
18595b58c3c9b1087c139ddc5b649be3d9cd14f868bc71ac00f30d67449cd46455d2700f9a4e44e97c1ae71a82928e84a29c546d15065df017d9dc990f8f20a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
d4ab6e4a9f02291abfbcdf736167f2bf

SHA1
baa4828e2a48a5d1eb9a783f226518699f39f4af

SHA256
4f286839e790dc0e918091d364ba4c5d42278791f548a740b922727454d1c46b

SHA512
48d2be7f3d9ca6d171cc6b5301d58a0b4bb743f3596e110cf807750ba789f176c464957049f335137a191ad876ee2ea914269cfbb3663e4ec63dd82403b6cc86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
9dfa4814a6cb5a1280f95091de347621

SHA1
c2d0a4f032bf805e52d9123d3e394f79e7706394

SHA256
b5179933e53dea0183aec240b7eed9df54eff2f874bb39ec2485c17c3cae84d3

SHA512
936ce8f8c93d906be04858aa8dc5d8445cab3dde8ef732174c3d334f5a8b9dd61c0b0a3823f40ca3c827e618f044c71bc4004da15fade0338552ddf299e2f509

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
b4135f8c3f90c8cc803d5223bf42aab4

SHA1
72ff9ac5653098f250d2eff145bb1c3a76e9d0d5

SHA256
465b6fa6b012513880eceb68261ce3f194aea06ef5547d7993e25157e6b094f5

SHA512
7047e94ef5e054fac43a8db28ba4e59e3e593e589aa3c2ab3d86e9d27662024918533067d9e544bf70d0491d90608815758c90d0fcd56e00dada8a552b4c75e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8f894b5b10a557f9181d476dc7b0ff66

SHA1
76628589cfc6ff81d7b16162c97c494e6fee78d2

SHA256
6c4189026ba972bf1d7406a546b66958369578a8d84c357b5d6caf333b55cbe8

SHA512
980bfe102ccd48364bba9ae9fb4484916a73d2564e05ffe9c72bf07babf4ceb6b3ee45488b007826a92400af627783440b4fd8a6c79aedc13af2a0c7a676e47b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bb228a1544aed0c4a1cb68cb1fe7c45b

SHA1
ec5c64dfceb5f169886577061417ceb30948cff7

SHA256
30b046f4d604ba43474fd9ec0dce02ed066c29373a93668bf1ac21009e03a4ca

SHA512
d31b59cdb1c1fcd4973c09579263a7e11e2049a3ecf5ad32cd3764551f0c9a1b06125b7c8335e296d67c1ce6baa9583f3f6c9344744c5ab8ca69771d60bf7e10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
535B

MD5
4d78529e3b70d2b3c85c7073366ba48a

SHA1
75ae921f3366eb1bb675a303190dfe56c161df46

SHA256
6607ed0ea0547eceee597a63334896a12dbbbeeadaa6fdf1c5093f1efd565a6e

SHA512
3685519c5aabc4557460123acd57ff606923cdc302b2919d1637c85b8e381dd5e471e2b0e21d81d13c030a6382eaf44a131ab7d1a4eb9176e6ababc555a706b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
fbc97f9a475ea01031da079d2fe46f81

SHA1
e31f8217b0ad815de448228ea4aac8324d9be304

SHA256
3ef9ac8715638db00784f2082fb979b5c902ce86bf951400f7baca3573611431

SHA512
ee86c0dd42f35f658befeb943565d4c8ad556c47c257c5724061b8ec5b411748c0c393a1f2fe9358a245f4aad7984db974aabdd2754d2197bfbeb4834b1c0871

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3d00761edf0d0d0e99820bc6650b2765

SHA1
3562f1c8fa477e964f81486970c81dfd21aba484

SHA256
58acc8cb3b53a64f93fd5f41500d9f9dc6ff7cde4436774cbd3857fd8a9bbed5

SHA512
1d502b1a885cd726eebb4347dfbf056a5b486f09ae86ed32123a390cac919de0cac02a6e032119db1a26acb700af9c82dbe0de05d1d2818a72b3e32922e348fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d7535bb227b1ff6da2cffa13c946d124

SHA1
7d9d1be6d67be1a9728619f9357061989a99fc46

SHA256
ad258a462498bd8602e5c20d441246943aad28bc4f75363cdb3ca09d49c8b6f3

SHA512
aa4433ed7fd4f5f7d3668375f1c933b76387d7c33b909096d2e28458c2fa3cfcd4317377a9f4dd2ebb0effc21ad63edd88090d93555fddc004882d7022f7d95a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
98a6a4bb3799e5367d607d1f5ed71740

SHA1
9065aadb7647582dbe59abdcf546569124bd1a62

SHA256
e37729a92b7697ad1b021374125f2c3e0096731c390e9e3f7414a48204e7373b

SHA512
72cf510043afa35284384e45a4bdff8ad8c5de303777a6f51fef79e120f117f23dbd071c635f1ed935c856919580fee9224887a96ab147511008ff74646233cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
396e713cf0c4833f4ec5cc9eb9a31bbe

SHA1
dca376b4eea08ffd0160781ddbb8aa2fd6c8e18d

SHA256
38fad4f46a048515bf75c71ef15b2c0085ab59f27ca3346f43e64ab6d5a501e7

SHA512
ba2429314847035380e9ed5b132a653fb22c53ca9b3c70db92f9a28a38ce2fbbb2f04509cd461f6b30a2dfea4bbfd87a62fcbd26868086608cedbf1395c3c8b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
60130a0be94548ffc3345dfd8afe4607

SHA1
f8d360dc3219c031e8e4813ebbd6b2134abe97c6

SHA256
6f3dc2abadb2ce785ddefe39b25bdf7aa6d1095252332e74dda355e54e1dda3b

SHA512
5616eaa53ddc06e6f4d536ebc22756d09e8f3e34a7b2c04583deec28d94fafe1f94946066d030343a4f924207e93a17249aaafe899c50a9e90c038649438c8e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580162.TMP

Filesize
100KB

MD5
372c3fc9794f709c59b4f12653419971

SHA1
4ec038d5ca73e8b14edd41117bf7c5f987ecac7d

SHA256
17a017f41da36a30d32c5e0e46ce22f7881fb04d425f6af48f54766581dfa0f6

SHA512
f20654ad788017a1dec52ab168ce4c66ddcc270af923596165aee8705d3e16b7802de37d3ab25f8d33c2db4bac551d4bde197da6913d2ae449a83db50f2aed32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
5a655c597087cc7107137b27ce8fd36d

SHA1
7da152f7dcf5e62b78b806c6b18c4bb1517321a7

SHA256
24870b884974f1d264bc6d37f716c1838fde270c7f04935aba6cd2b70737c31c

SHA512
bdd6314f483e006c1a44185ed7691f146692706512f99a6fff103ef01c368d25e23a510582cc016c25a0879f5d93fb957a3c4c5c478f0f3a9ccc69a077446d17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\468465e8-6b15-11ef-a2ff-6a02b38d1b32\Ninite.exe

Filesize
1.6MB

MD5
f1db4fe1d4559183cd1b35a257c970cc

SHA1
57d3904540930c3ebf80f30b6b6097bd055b6940

SHA256
a5f912ccbde324b7c5f5d81076ccda813b2d80d311f4c854d358b85b02094d56

SHA512
7ca2546d31b88d701d195adf62e10209f3216033692348b4f8ff54e254baca7c1e72dfbae66ccd5e684cf53900cbed3f5a05ddc24adb251ce752541fb1f56c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\488C06~1\target.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit
C:\Users\Admin\Downloads\MLG.rar.crdownload

Filesize
10.9MB

MD5
7c7fb86210ab287c5b1b8da0e493818e

SHA1
fd0c9501f63ab40ad21b18f744c0ab126407b305

SHA256
adad0eaee2468fbff99e0089b10b1afec28044a67c100bc70c90f24782a778fe

SHA512
d5e19368b06b73700e1f5b1bbd962ee5ef0293c8eea6f70ef2fe38681c2101f22b5ef6ad42208a0a1439e0435dd830cd94f673cb1756f0a078a181d94e7ec90b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 206614.crdownload

Filesize
415KB

MD5
7bfdbb53f8ec1d54d07f251f6e80f544

SHA1
9f215c804af488423219aa451287d8fba5f49949

SHA256
aceb303c0c63dd79922cf87ed75701d9206a752a526b3b5e212f96368a7751a3

SHA512
42ef70e1c336a6f98464cda4d67a91602808195d48b8b577f6e6136ec2e139dbdd0936bd0cdd8cf06a40e1513ca09ed3a1da03221183d8ad1e87835df91b798f

Download Submit