hxxps://tinyurl[.]com/eafc25hack

Analysis

max time kernel
153s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09/10/2024, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tinyurl.com/eafc25hack

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3088	winrar-x64-701.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133729451353119629"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Artur Idiotov-Various Files-ModifyX-2024109-3501.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4504	chrome.exe
4504	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe
Token: SeShutdownPrivilege	4504	chrome.exe
Token: SeCreatePagefilePrivilege	4504	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe
4504	chrome.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
2028	OpenWith.exe
2028	OpenWith.exe
2028	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
1080	OpenWith.exe
3088	winrar-x64-701.exe
3088	winrar-x64-701.exe
3088	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 1608	4504	chrome.exe	79
PID 4504 wrote to memory of 1608	4504	chrome.exe	79
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 1536	4504	chrome.exe	80
PID 4504 wrote to memory of 4276	4504	chrome.exe	81
PID 4504 wrote to memory of 4276	4504	chrome.exe	81
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82
PID 4504 wrote to memory of 2064	4504	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tinyurl.com/eafc25hack
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffefa82cc40,0x7ffefa82cc4c,0x7ffefa82cc58
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2288 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3572,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4416 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4732,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4964,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - NTFS ADS
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4956,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5476,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5616,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5732,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5884,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6032,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4772,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5960,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4452,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4976,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4480 /prefetch:8
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4432,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2752
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4364,i,6721428697115560053,11450522035038618483,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1096

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3340

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2716

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
792B

MD5
d0f4d092d8911f7b73c9c29d15c8176b

SHA1
fe10652398116a3f232d53c3cb46e0927906296a

SHA256
bd33a337fee2c1af9f8a85b51e88ff91448237a6b4d8548ee5c05ab5a78994c9

SHA512
c21f327cf574c64dee27072b5a9658417a961cac5473fcb39ed1c4133a3e3048ad7beed91bbdc1d914abe24c1541a22c4f75d691cec63372bbdc8e766b8c26af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
0b61ceaa8ba5dd190d9669789df21a51

SHA1
e67442919d43b5c7522022845442e0258074f5c6

SHA256
8c9e980c4a9e11c1c243e121c79527cfa7bf719fadae618419c2bafeb75bf4f6

SHA512
f68c8336c2e384cd44f254b68f265d645b511647658c332f0c18192b44a151ed2d01742911888bc2da0db43946bcb6344e3505e46814e6a76c55b85049ab28dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
44f4e1a79e68ccdc7760064aa13626ed

SHA1
61a30b78c9c84451975282efed5e5ef4769567ba

SHA256
cbe82c9d68922d4261fe5c8586b389e99429390e1d62f3ef625be4652f85b16d

SHA512
b19beda1f3eb0bf6cb7482000e8e066b4b7e88d4b1ac5bbb06220e990d3d1e43dbb886cae070e6acd33c7b04db9b6287bcbe6ebe04448a4e9a0af108da3bcdb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
b7d10766d716ba3073de1899ca60e108

SHA1
404b64b3fab2cf346509219f71075b81c201088b

SHA256
59ebed435628b3b094c9ad90986af99246756f3d1c22d357b02e048522cb7307

SHA512
7f858f6c3eefa3e48dc7132d5332f089198f690b933aeebb0c1e1aed39aef27933ba0d1e1ce92c7605394800f6a6e3cdb961ebf63059abba4e732dc929268ded

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
21dc2cd566bb1eeaf8f5c08becd81438

SHA1
92456ddc281a482dfe1c84f2f8f8cd901faa7e72

SHA256
6af2c5264a3adacc0be6720c38801784357fd219a31e4596323b6c40d3e82fa7

SHA512
9674e33adfb66e1df7762395d02a7dff459bcb8b9c3d9a53077b4a624c53bb082c3751928465cd9d6ae6465755f8fde3b38c90747adfbc27e14d547d6b2fd9e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4ceb4765d138895c249db4565849e464

SHA1
7297ba6d47b478f72ab53fed78cb658d50d4192b

SHA256
6e8d8a5afcfcf6c7723aac287da8546d3c7775d5b41c2292e939cb6728167133

SHA512
a8a086852bce705a283fb24304948261f10bacf32ac52cfe1bef322d9aaba140cfaa696b1ef1c502795fd8bb5b432e57229fbf80dbe8d798b7e731f301ef5f2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
203dc5dcae636d58bf938740c305c0de

SHA1
07ccbd3da0f589fc37316c75bd00df119ef3459b

SHA256
87db4f52eb6379b3264aadf83e5a8bac6b2a5573d2dc984deb1acf216bb89b53

SHA512
ba3eb1b1b97092c29a6c9eae5cd9ede46303bf25fe2ac307aaaf886adec04460bd77625737378bb47ff06890632e944dc7641e9e30019331ae11c35b0996807a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ed3a69c5ed2993a08a84d48a7a214ecd

SHA1
627d8388109931a6d5e0521862f1749b275cf768

SHA256
d5fbaa4d854ba648a5f55365837c6072de8dcf9c89997c19ccbf583a3e14cbc6

SHA512
11fa47704ddfa31b622cecae79f46d0d5c4a8a22fc96182892d91c14c18445010da1f795b54afe56a80f4a550596abfed11cbcc7252666237de853f8abf87302

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2cc0a0f14899681d65d304f245c7a61d

SHA1
df0045169eaa7213dcbc1f8f3e7c0939311a03f7

SHA256
3584aa219d21060d316c38ab95f01b57c5852afdc6b27fa1c5c5957949433a7f

SHA512
0ae5483ef9a739a0033b0c017c0e807903fe5f2a252a10ba1675b4481dec98f44bf51f9940763c4d4062bd1a27df6e34ad2b5d934b820204ca812d1ab096a99e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
caf3e86990e1964c123dc8d37eb07be7

SHA1
b3ab5972f911f6de2b7fdc1f2867594c42c75c76

SHA256
ce0ab44b7407b20baf84fc2ed4141bddb54ebe4a4b94e049ba9480b15133aedb

SHA512
17724023161431792a964172a5fb5b443022c3f4c070e067bd56c812ad0a14b98c50c60dcca201dcc89d0d00771b9b076f9f680a96874c443373a577eb1e2a8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e4f3cdc7aeb723cfc04ace069700b88b

SHA1
aaeeba61ccc5d6ef5f1d1a9c50946d230dec1017

SHA256
c408b66f25e0b1301640bbc68df65265e77dec68a4966c52c23645b8d70f1fdf

SHA512
ac93027d29b0875f12f7b822e103745df40f22672a5948f8aef4f13606afe16222e5a0b85b01b0780ceb2487d0e437406bc47e4889e144188314bfb165cda9d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
51185fe8e8283983001507c45fe620c5

SHA1
53e0eeb03a8dbd829acaddd7596a343cbc814926

SHA256
2aeb6afc0aaf5e6d4134b99f5bb4094cf46184e8c6b45822fc4ff96bc66fff45

SHA512
9b134d35bd5b1e4cdc7508435c8eea01c3d7320409b3403ecc2c76db7648b9316cfd12a01251abf2679425d56ce63d101b2e46ae867f7a5111c6925fdb147e36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0b509e5c93e6e8a75558c8f072ea1d2f

SHA1
35cf22b8795c7813d00c0acb6ae12b0c013245fc

SHA256
3c613824ffd6b05d87fcb93cb51fce7ef0930f7cb0ec29ca15e6e9929e263cf1

SHA512
a8fa4fa55c7a4ad8bdf8b34ffe7f979124ac1f3978aa9eaee5fe8d61b3f8b968d921d30e9f149bf056cb0581f175883ebf7f61284d5ffca4c5b3179d1009d128

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4c5b2b8d58faff2f5ba4285c51a5b782

SHA1
c9812dcc6a7929e62f2b840c7b8594c07258f6c1

SHA256
4f8eb4979cdc5c9aa3db7605c65f6032561c1bd68cd98b482eaaa85c6b8e25e1

SHA512
09ddb6e25f4d1fb92131e9f06c36508b7f1a903ee4c11935370b8659134358e3f0810b98cff11ea5b058895a9ab6b704dc9b0b6745547d563a8e4b51a7e00048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
90bf328970f2ae4aa73987156611aef3

SHA1
c42ce03b8dafffe91dd07b3a100ea062ba35e9f3

SHA256
6fd7bd95916cfeb0ba38bbccb9dec4a944174089a6c95bf2adfdcaf7b5e166ab

SHA512
efb1939a8a9727675920cc5290c75025aad48bffea4ce12a27fee6769e5bd94f6c99dd2630c3b1c82142e8d226c05bb991fa4fff575a4bf448c6c37d34200c2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f686dcdd70ab6d9358f77a96ffcf4d13

SHA1
de51d4e6d4c93ba1779df0bcd71ff99eca36aaf7

SHA256
4ce2de355107b6cc01149e10a711eb2e6c97060732af0c6b790dfb2d269528a1

SHA512
cbe790ca8ee68558399131a59761107a73db3069e49b8315180ec523521d55ce300d4c9e10519831b7a0bd47cf0a042c3dda2f48999ecb4612b3a22c2642e0c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7e7092c19611e94f8ad92d7b25f6a3b4

SHA1
df746924439c78df503b9976f216bc28b7f606b3

SHA256
9ecf2ea893170db61775ab26ded82428559e8cf188f6336afe1e4ce655539d23

SHA512
87055fb816a2206cf1dbb3bbc252e0fd3c21c6a924f36b03fbd9ea962fab8f02903258e371d66e74250ddfff456a871416dcc2a45203fc2ea1201d9fad0899c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
07617f193e67ff1d72a55e07a080128d

SHA1
f518f106488b1b30aedfaa477e1a1508f1ceee25

SHA256
eb4b27f49839843820bfb0a2e2f460f04a5dd204186dbb7586cbcd747f3a8bd2

SHA512
6acbfc3ffbc6f14050649e10653b4393b7a1e7d9a4a2b0bf5437bb0241419d0aa2a7a8980ae6fe9cc3ee0a0cdf52b3c63cdcae18cdc938304119a42e8c243004

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
4c071a544e7aded8bfd7753ca15fe638

SHA1
823dc1162b150d1fa6e2b315fe0ab6f714ee8054

SHA256
c1e459552e2c3f029f82c62628ac9459abe605f89499cba254fc593f16d64472

SHA512
a85697fc001563b2eb8df45edbf4fd4283e3291a80ecf31e1c5cc6cd1dc4bc2749ac84c54898d7efb0193bf8af07a315c0eb7b7b2f1a46c27ea88fa761de7b59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
df496b1e14babb790da7a31d501a7ed6

SHA1
0bacb294ed9d40416221a44aceab80ec3afd3766

SHA256
7c6eb8038144e6df76d1a98cbd879209851d3d851c29b5f02ba672925dda3112

SHA512
35891af76ada7468620f9af4704b77750d6eff2b5b700b085feec2a838518c72db7c9897e928a0412519113e3b74ae4ffb4bcc3a1ccff01fb37472ff80bf398c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
1d5b0ee76fbc143a9a73a48f21c5e9a9

SHA1
5d9bf1a38f6be1c5a055de83a999aedc12b126db

SHA256
b6bb39e59011a8d4269d27d2f18ae2d2ab6abee251c05a048d49ba1454737c54

SHA512
d8d638ac855c84bb0ecec46315c8eae58f229128608394f20e1b039ba50b9f37094cfef36acd9bcb5b9ef2cad4c26905252a154c37701a0c6e5be7a9af4723f6

Download Submit
C:\Users\Admin\Downloads\Artur Idiotov-Various Files-ModifyX-2024109-3501.zip.crdownload

Filesize
19.2MB

MD5
12ef4b860aaccf815b0f31777ff26e18

SHA1
8edbc82035fac398950a58df911d8afef80d5a24

SHA256
e1fcdffe973c734929289bf35a15804cc32014f69ee265fd37c4d9ec6cecc9dc

SHA512
b35bfdeb8ce7226390e3d41f0622ee6996402976fbfb2f82650121a03b9d1219f7b820a3a29f15e012ab6c6fc7c9041409ffc850aa5d3471fdf9684386f300f3

Download Submit
C:\Users\Admin\Downloads\Artur Idiotov-Various Files-ModifyX-2024109-3501.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier

Filesize
171B

MD5
e6556655a7d88a93605f5e6af98def56

SHA1
498d46d1d2914dfe2a50efd0aad5b964d51504da

SHA256
18f8507ecde6885b7459b08c573e3cb35c35bf700bebf4d8fa5a04606b929d03

SHA512
d1c74f4e9ad54d3b72b98cdcf0e07f73e3fb8aa7554473d112e4c9d2a00bd2e3571ff74608bb208348b8b5781629095b51a8379921a07bd20dc89343e41110c8

Download Submit