3418a32a51104129f7b6a03c18ef6e2989108fe6552c49a81f56fe61ea6522c4

Analysis

max time kernel
600s
max time network
364s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DR4eat.exe
Size

477KB
MD5

ea0711812c4f773da344e725a843712f
SHA1

82e87f6097e423306934a1319ef6d5191b05636b
SHA256

478b3048a9b82c42c029083a6cf8ef0a012147e8901a3272c3882da838c47aa6
SHA512

60a9bdb837af84dbfa6a761d297ffb3c7f9cd93989067e1d3b707885b5e34d5823e2aa006e727dd3b519a100494c8bfbc9a07ddd1f6015575d00937eaa208c66
SSDEEP

12288:Wa5KxDkM/ByYqzQsPjC/2pzYvsuTgEV11fIUWs:WNaM/QYqzQsPjC/mzWRgyN

Score

8^/10

credential_access discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 6 IoCs

pid	Process
2128	winrar-x64-701.exe
1068	uninstall.exe
808	WinRAR.exe
2104	WinRAR.exe
1512	WinRAR.exe
1856	Javaw.exe

Loads dropped DLL 23 IoCs

pid	Process
828	chrome.exe
1016	chrome.exe
3004	chrome.exe
1248	Process not Found
2128	winrar-x64-701.exe
1248	Process not Found
1068	uninstall.exe
1068	uninstall.exe
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
616	taskmgr.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Default32.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Default32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259469224	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-701.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	Javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	winrar-x64-701.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files\\WinRAR\\rarnew.dat"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz	uninstall.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	DR4eat.exe
3004	chrome.exe
3004	chrome.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
616	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
808	WinRAR.exe
808	WinRAR.exe
808	WinRAR.exe
808	WinRAR.exe
2104	WinRAR.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe
616	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2128	winrar-x64-701.exe
2128	winrar-x64-701.exe
1856	Javaw.exe
1856	Javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 3008	3004	chrome.exe	31
PID 3004 wrote to memory of 3008	3004	chrome.exe	31
PID 3004 wrote to memory of 3008	3004	chrome.exe	31
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2876	3004	chrome.exe	33
PID 3004 wrote to memory of 2712	3004	chrome.exe	34
PID 3004 wrote to memory of 2712	3004	chrome.exe	34
PID 3004 wrote to memory of 2712	3004	chrome.exe	34
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35
PID 3004 wrote to memory of 2944	3004	chrome.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\DR4eat.exe
"C:\Users\Admin\AppData\Local\Temp\DR4eat.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6a99758,0x7fef6a99768,0x7fef6a99778
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:2
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2324 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2332 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1580 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:2
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3216 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3460 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3568 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3456 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:8
  2⤵
  PID:268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3732 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:1
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2632 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4024 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4076 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4060 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:8
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4128 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4124 --field-trial-handle=1380,i,4151299576032500412,18015299223404334933,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:828
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2128
- - C:\Program Files\WinRAR\uninstall.exe
    "C:\Program Files\WinRAR\uninstall.exe" /setup
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - Modifies registry class
    PID:1068

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:384

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -iextdf -imon1 -- . "C:\Users\Public\Desktop\Google Chrome.lnk"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:808

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Desktop\WaitBlock.zip"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2104

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -imon1 -- . "C:\Users\Public\Desktop\Google Chrome.lnk"
1⤵
- Executes dropped EXE
PID:1512

C:\Users\Admin\Desktop\Javaw.exe
"C:\Users\Admin\Desktop\Javaw.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1856

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
105KB

MD5
b954981a253f5e1ee25585037a0c5fee

SHA1
96566e5c591df1c740519371ee6953ac1dc6a13f

SHA256
59e40b34b09be2654b793576035639c459ad6e962f9f9cd000d556fa21b1c7cd

SHA512
6a7772c6b404cd7fee50110b894ff0c470e5813264e605852b8dcc06bfaeb62b8cc79adcb695b3da149e42d5372a0d730cc7e8ed893c0bd0edb015fc088b7531

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
45KB

MD5
1c44c85fdab8e9c663405cd8e4c3dbbd

SHA1
74d44e9cb2bf6f4c152aadb61b2ffc6b6ccd1c88

SHA256
33108dd40b4e07d60e96e1bcfa4ad877eb4906de2cc55844e40360e5d4dafb5d

SHA512
46d3fb4f2d084d51b6fd01845823100abc81913ebd1b0bcfeb52ef18e8222199d282aa45cae452f0716e0e2bf5520f7a6a254363d22b65f7ab6c10f11292ee2d

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
316KB

MD5
6ca1bc8bfe8b929f448e1742dacb8e7f

SHA1
eca3e637db230fa179dcd6c6499bd7d616f211e8

SHA256
997184b6f08d36dedc2cd12ee8dc5afb5e6e4bf77f7ab10f7ade9eefdb163344

SHA512
d823f2c960a4d92129b9bda0f4f9195d32e64b929082b5efb9149546b5053021255d1dd03cb443f0a03106314554f76b94173e280a553a81e4ac2ac282877973

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
3.1MB

MD5
53cf9bacc49c034e9e947d75ffab9224

SHA1
7db940c68d5d351e4948f26425cd9aee09b49b3f

SHA256
3b214fd9774c6d96332e50a501c5e467671b8b504070bbb17e497083b7e282c3

SHA512
44c9154b1fdbcf27ab7faee6be5b563a18b2baead3e68b3ea788c6c76cf582f52f3f87bd447a4f6e25ec7d4690761332211659d754fb4e0630c22a372e470bda

Download Submit
C:\Program Files\WinRAR\default.sfx

Filesize
437KB

MD5
ab1c239d68d65d84ee139dd0c8ce8a52

SHA1
1a638556de77369151839bf7a570d972410360e3

SHA256
b83a105dda4806f7ac5e9f3b6546829b37d42d85911d1c4487b1e95bfea91e9d

SHA512
ea2306628f2079bdf5420c12af3d097c78fb3d3cd90ae2283c6f591e0751325f3af675bb257b812babb4d03f7493e2819b97fca969dc9b5031ec07bb8517ecfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
65a5585723f2927656918cd3ad955e88

SHA1
ba9250e08ffd7ab8e1eefa58b9683670824fcbd3

SHA256
e775c371410b4dd36b5d69985ccf53db6fe4386855b8c82f066e2f7cc10585b4

SHA512
2dfcafbcedf51b83b87c977dcbe9a8e21833a375b1c66c9cc4ec2161637dcfd2a0a4ef4dc9a6e5d88802323bdeb0ebeb59b277b0b86311764c9f2f184ac9d758

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9d1b859480ee71bb6e3dd226fe114780

SHA1
0327478a86b3172e24f2573167ca60acbfd70f81

SHA256
19b7c5e04cac0110fdbe2bc09699c07d272e6d451e2902252eaba366b290e07f

SHA512
02fbb1e4791d790199ed17044056726732adaa4ec8d21f25c5a87b140dc017062128fea5f0a9ce7584700d5b5211f4d493e9e2cb14182a712ead38c99c991a78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
887190157e4bf92098447078ecfbf4e0

SHA1
1d13114fc69055a253b2e1b9f5b003c96d811f02

SHA256
c7aa6ecbb6116abf111cc720d69a41e15a3f1326c43609631bbea83e2a63ea16

SHA512
05224e0f982c124f02a5c06dd2b490d740185e7be1353b344db24f2f23d4dcb813e6460f71c7f45674bbdd34835473a75e5402c5f2659406947efe897008b539

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
342KB

MD5
1b18eb5f1156a9d6f0644ff0b69b0bb2

SHA1
6f599cbfbf96b6005823e89045d3337b094e6100

SHA256
db83b2df487a9d24955d89f4614f1a533c20939b518a54b0414a9bb9d8612ca3

SHA512
735e1b815682e7e7d948a260206ad15391294f832089d73336a001a63e7c330ad4f44ea8631bc26053a6d39f83554b994631757c23d97533178b332f244e439d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d60c6de1-6f36-4355-95ce-683b5a47df2b.tmp

Filesize
342KB

MD5
92de5fd4cbfa6cff4ad363627a00e7b4

SHA1
f066c38f5c5d484b1061afaa26361d2de400a7cd

SHA256
9b08b520fc657ab621e10ed0a54c708aea3f5d17277a227b18c5a55d059c9771

SHA512
7c93578e38b5de6b29c2befc32c9152b8f4b866505b0eeabb88eb0077d0a143fbc843d8250f02b186e8ae2c9f1a79fbbf4aa1b4ae17b13f87d61f1c26b338ec9

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
17daf488dddc4b4e5351e50a090b9151

SHA1
fed187d13c3ff65781e8252c1f64709c5eeb4fe1

SHA256
a40f031dd7106ce5af479432306d8337f97c10880e0310636eca954258f913a8

SHA512
2d1f235b20e491efc78f0c91bb712df5bb7808d017ba77b6cbb5e273f2841ec2909d25fcbfadc2485100f33133ec3ab39d753263e4a219e5a63173b428f718b7

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
\Program Files\WinRAR\RarExt.dll

Filesize
636KB

MD5
1e86c3bfcc0688bdbe629ed007b184b0

SHA1
793fada637d0d462e3511af3ffaec26c33248fac

SHA256
7b08daee81a32f72dbc10c5163b4d10eb48da8bb7920e9253be296774029f4ef

SHA512
4f8ae58bbf55acb13600217ed0eef09fa5f124682cedd2bfc489d83d921f609b66b0294d8450acb1a85d838adb0e8394dadf5282817dba576571e730704f43ac

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
477KB

MD5
4783f1a5f0bba7a6a40cb74bc8c41217

SHA1
a22b9dc8074296841a5a78ea41f0e2270f7b7ad7

SHA256
f376aaa0d4444d0727db5598e8377f9f1606400adbbb4772d39d1e4937d5f28c

SHA512
463dff17f06eca41ae76e3c0b2efc4ef36529aa2eaed5163eec0a912fe7802c9fb38c37acfe94b82972861aaf1acf02823a5948fbb3292bb4743641acb99841e

Download Submit
\Users\Admin\Desktop\Javaw.exe

Filesize
438KB

MD5
c8f4b62fe30c9fe9960edca7a2c35df8

SHA1
7992210316d2e4e949ea7b420dfb83a2e57b1551

SHA256
d903445dab870e6ea358e45cccdd6d11858bc4a2b6ab936edb33919731041af2

SHA512
573c3be0f71149626fcfb8bf6328ec7817e8d15f5ddf66a691ba90cf73f821b4e38d5c053aa66a7e8985c860191d31a1a7cbd08ab88840e552e56a615c69b79f

Download Submit
memory/616-406-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/616-407-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/616-408-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/616-409-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download