529f80681ecf521cc214cfa2a8e057e7120a50c1e6ef8b5844e6cc960dcce4cc

Resubmissions

04/09/2024, 07:54

240904-jrrekawfpn 8

04/09/2024, 07:53

04/09/2024, 07:51

04/09/2024, 07:47

04/09/2024, 07:44

Analysis

max time kernel
209s
max time network
204s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04/09/2024, 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New folder.rar
Size

1.2MB
MD5

0e27b6c7d01b34ce5d813fb220666818
SHA1

40b0d7df39cde7189fa2edf8df00f009e689ad58
SHA256

529f80681ecf521cc214cfa2a8e057e7120a50c1e6ef8b5844e6cc960dcce4cc
SHA512

90b5577ae189d2c48329ff5cd8ec56d7bf0f074cc58631a98d71d37e9c88f7e6a46dfcf7001876115c8d3e4c28fae8c4772d9c4f9f7566a9b66ada776bca9894
SSDEEP

24576:tXcf7fkxdJV//YPlCPjHvL7h4tPzka1/v4it7izGHU0Old:tsDC3V//YPUPjPwR31gld

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2252	winrar-x64-701.exe
3796	winrar-x64-701.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133699096655620421"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4124	chrome.exe
4124	chrome.exe
2912	powershell.exe
2912	powershell.exe
2912	powershell.exe
2912	powershell.exe
388	chrome.exe
388	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe
Token: SeShutdownPrivilege	4124	chrome.exe
Token: SeCreatePagefilePrivilege	4124	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe
4124	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5084	OpenWith.exe
2252	winrar-x64-701.exe
2252	winrar-x64-701.exe
3796	winrar-x64-701.exe
3796	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 4180	4124	chrome.exe	77
PID 4124 wrote to memory of 4180	4124	chrome.exe	77
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 1724	4124	chrome.exe	79
PID 4124 wrote to memory of 828	4124	chrome.exe	80
PID 4124 wrote to memory of 828	4124	chrome.exe	80
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81
PID 4124 wrote to memory of 1732	4124	chrome.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder.rar"
1⤵
- Modifies registry class
PID:2500

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc37669758,0x7ffc37669768,0x7ffc37669778
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:2
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:8
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:1
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4452 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5100 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3704 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5384 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:8
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5396 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:8
  2⤵
  PID:2744
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5652 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5232 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:8
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1076 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:1
  2⤵
  PID:3364
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 --field-trial-handle=1844,i,8478768408746462419,16527404010070512426,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:388

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2280

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\b61876e6c3364e12a43a0a1ea576e338 /t 1640 /p 2252
1⤵
PID:2664

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\e2b16d8869024623a00ab31f5936909b /t 4816 /p 3796
1⤵
PID:996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
2d987f5e2836c82339a22d86e6aaad0c

SHA1
71b626a842529d0ec542a357a322c545fb33403d

SHA256
33e1808c51d05dd288f335e9c08f3c984ef7987ea829ed363be6a275ca06a2f0

SHA512
9182834958dadc0f0d562ebf0dcaf91eb4addb36cb6edbeeb405f468a1db4cd752cd567bd715c987607d195a871de314730e24ad0b3e7ce853a630ff22e42142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e1b6f789804936fe3dd9150f9b0ee931

SHA1
0ab8885017454f75a2590cff555832cbf88e0a45

SHA256
d77207ecdcc33801d3df3c8ea71640b65177a90726eb7cc45bd39109288b155a

SHA512
14e421d0752425789754f0d6d64316dead2cf51cdb8eb0cb0bc72cde6ddff243a26209ec1919057aebd7a0182e074322ef30a5f8c991b9a36bf50268336867c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5db241cedd1b3aa4d67107499910fbcb

SHA1
a3f63f8260ec11afa8987370bb806d46f356e926

SHA256
1877fd3aeb8210065d055e99a91a0a5b5ea80c52d7c079d8e3090f9f37d4ac11

SHA512
3cc5de58f5c970a5c3f01ba02ac4f2ffb42f918302d58a5b1a70f25606c88eb7d13af39afd135bf45a2af2dfd1c34a29a40b88da0b57f41c0f1e5a32b5a01954

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
703B

MD5
660237050f524be651fd90aaacc9a094

SHA1
35c2d641ffd60cd4ed0b100f1a33f77fe52fb8c3

SHA256
d37d9f7f99babe699314137997335d202d9b3f4a51046959575fc6d6cf26f5ff

SHA512
d231b49cf2c62518e1f921a8bb8ee180f3d71c4b7ea2a34fbfb1f1be91c031d2768b3f33d0429963410242641dfec25698e08487054f5b617a5a383fbc8414b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
703B

MD5
052e621836bc6a628dc7cd0df2179c19

SHA1
b28e0a18ca937ac27817179bc67bb70ba0dcc79e

SHA256
7e704be4cc5ac4d0bb285f951a9241f84b9285edd21426f7b6f1506a5392a0b0

SHA512
1727293e6af9b69e3e703b13377325db9e96773a192de7b23e40fdd76de0243d3cc557b6b96e66bc06890664f2c6a183a050cd98f83698114a7c66144f04a059

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
89f54fb9ec99739a607a22e06cc335b6

SHA1
14fb21c51b5e0a2fe88fd7e8e7378a11b8f30bf4

SHA256
7f427fc8940c6913ab549f4275d80a8a9cb2bef915ae897e0e16838a4b25bfc2

SHA512
329ab2ae9be316461f3fa7f617985c0a6a41c615732fb697befc5044795c12c29b650c85d439a11b06c01f7a242153995ae91820206cae3a98a2dc566c09443d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d52acf006393d6aebe2af09d8e56b193

SHA1
8a720e848d46cf94a49d073a892e2259eb92d90f

SHA256
8dc3a4ca20a599ab1ce1896970d3a723f9c83c376298d7f33a241afc4ae2e20f

SHA512
17ceca83ee650425c7de58c86d19e99bfaf9498c92a8fdbf59845f99da000dbf53cbf64afbedd6a235a4e9c39f16ddd03a32223ef42285dbace5338c717c8255

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
baa24ed7f341aa4cb7eaa685030bf5a0

SHA1
29b9b1040f579040a463180f9127a486a689a703

SHA256
a776afea484617f15c6897e25b76f85125884e1d75eaca7c95630a722da3310c

SHA512
55a4b2b5b3459b1a1ed614cfbde036a47711bfd3700a423bb7c5f096df64884da395f871e2fcf6b07310e91ed4c594506f30dca9a49f92cdce24ca6154d1f2e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
455995d5c54a9108f1ffcf0efd87930a

SHA1
7e9115ca89039907883b49812c789ea9b8d8eb76

SHA256
fa8cfc868b4fc0c5f3f162e39862c8e75e8e64acc3c6f2d9b670a922fa4a7764

SHA512
8c61a929a10f489ede041bac9f281fc6330a193150cb781dda27cd511e2fd29dd7989cb293769e6cdbeede20b4e47e0304de2d0b788ca90e294ac3302b855c44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
8dd65c28a7434466d32458680b9e8653

SHA1
a705e3797e169fdf7f76c63e9b159903493dc146

SHA256
3ce51557127b03e8de1280fb6a2f5184fc503e36706be3a4eadac3a4d7e3660b

SHA512
3b5cce08314bd109c46fc39e5401819be46955aa85c5d8651fffe085b48c83e07160279922767e9f2cd734045ea7b2e96bea38ce51697698a479be12b3402803

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
303KB

MD5
9cff789c3399864517b81b724be66301

SHA1
dd69e28d90745ecd367968dc350e7717b1031ab2

SHA256
74db30b4d63169e7f21159a7fb40adb35b6352c488cb58e0395c1f81927d3611

SHA512
30701406bb472286cb0896a451adc9c399c620b929b4a2f26ab44e49ca66654764d7c849ca0dfb91e0f4dd099ade3ba29ce486f68dfeeb122f66ed4f5e9f930d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
303KB

MD5
8a0e8c36f2ae6f52a0223eb77c52e0d8

SHA1
0297de7e771427651a02de3bab16740c3db1dafa

SHA256
86e4e4d63856e2e867755025340c34675150550481b24a2ea8b7965bfaf26605

SHA512
8b968ec93f66c2f0c9433c40aaa7e27cbe7ddacab64b82c4e8331d7eb4ea4bc0e40aa8ebd3358f2b210f80e94d5479d2f37e054967a041ad8bf28804c80ef412

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
33a47bb4b411fe867aa2d3ae582e486f

SHA1
229dda8fb952730efe457cd4dc419a975b1e0ec8

SHA256
160062003596531819be46b03a9c058d7edef5fec7fe1d29c33aaaedd3a5182d

SHA512
87501d5d8ed92701fb6d4ec49a67d0a03bd8f1b55f103be6bf8312ef33d1e2af43a7e7bad3e67c6b6987f793c3de0a69f637ef1f47416d07b2db24d84f814cf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f6f3.TMP

Filesize
93KB

MD5
3864ebf0b5cda562661f35c4d36b94ef

SHA1
7179d4e874e12d6bb79e53bdaf23cdeeadfff4bc

SHA256
2dcc87f3d38978db2c58598131c8bee34169c9e90cd86410bee81f2974dcef50

SHA512
4d6e81e2e97421f21c9b9d37e8046f29df8cdb32fdab8ef4fe987ef0fd0707296498e748ced408015e2ee504983522ff43f836c9e2e06aa1386771e1492df482

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x5hu2url.ptz.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
memory/2912-183-0x000001FE59770000-0x000001FE59792000-memory.dmp

Filesize
136KB

Download
memory/2912-210-0x000001FE597E0000-0x000001FE5981C000-memory.dmp

Filesize
240KB

Download
memory/2912-221-0x000001FE71E00000-0x000001FE71E76000-memory.dmp

Filesize
472KB

Download