hxxp://www[.]angusj[.]com/resourcehacker/

Analysis

max time kernel
227s
max time network
231s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.angusj.com/resourcehacker/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133330542486748900"	chrome.exe

Modifies registry class 50 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ResourceHacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 5600310000000000e556b891100073616d706c657300400009000400efbee556b891e556b8912e000000583202000000060000000000000000000000000000002aa63000730061006d0070006c0065007300000016000000	ResourceHacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	ResourceHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	ResourceHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "3"	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	ResourceHacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	ResourceHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	ResourceHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ResourceHacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ResourceHacker.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2180	ResourceHacker.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4812	chrome.exe
4812	chrome.exe
420	chrome.exe
420	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2180	ResourceHacker.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4812	chrome.exe
4812	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2180	ResourceHacker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 1520	4812	chrome.exe	47
PID 4812 wrote to memory of 1520	4812	chrome.exe	47
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 2348	4812	chrome.exe	86
PID 4812 wrote to memory of 3624	4812	chrome.exe	87
PID 4812 wrote to memory of 3624	4812	chrome.exe	87
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88
PID 4812 wrote to memory of 1528	4812	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://www.angusj.com/resourcehacker/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd46129758,0x7ffd46129768,0x7ffd46129778
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1872,i,1475984884169466030,17229984197681707446,131072 /prefetch:2
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1872,i,1475984884169466030,17229984197681707446,131072 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=1872,i,1475984884169466030,17229984197681707446,131072 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2832 --field-trial-handle=1872,i,1475984884169466030,17229984197681707446,131072 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2840 --field-trial-handle=1872,i,1475984884169466030,17229984197681707446,131072 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4832 --field-trial-handle=1872,i,1475984884169466030,17229984197681707446,131072 /prefetch:8
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1872,i,1475984884169466030,17229984197681707446,131072 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1872,i,1475984884169466030,17229984197681707446,131072 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2924 --field-trial-handle=1872,i,1475984884169466030,17229984197681707446,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1872,i,1475984884169466030,17229984197681707446,131072 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=1872,i,1475984884169466030,17229984197681707446,131072 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=912 --field-trial-handle=1872,i,1475984884169466030,17229984197681707446,131072 /prefetch:8
  2⤵
  PID:2572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:656

C:\Users\Admin\Downloads\resource_hacker\ResourceHacker.exe
"C:\Users\Admin\Downloads\resource_hacker\ResourceHacker.exe"
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
b05c2ae58435cf695aace14c9af0721d

SHA1
60f7718d33e18e5fb073ebf62e7c4b31a1c89cae

SHA256
8e1b98c25d5ad773b6d1c26829d468944627704c1783b1fffc28e47211e7bc35

SHA512
0a4c326979fc3a8b5bef5a682ae72aa8ee25ba6593f199355aa4bfe369558b70530bce80b392b042624db7f875a402896d2ac25889b1d10b8bea8c6b2913cb9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4d893f746d395ad5f6d34e32e218bba3

SHA1
ba690215c416439028d9bea22d94ef20aa5a8127

SHA256
007509fcfa56849ea3e6f4f2078a3a8a6deea80f913ab84325e571bf858b6436

SHA512
521c7deb9bb60a3a97ea79e7400f286f0559a42b1eec23b3b5cd83f9d8892b2bd390fcf45ec1bf0635dde52d2678db083b7c4096cd8289eba033cd50b78eee3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1fe23de56d5ea3e5b91a861153ddd92f

SHA1
67716883099867a13d030ed99c82f7799f2f5aa1

SHA256
cc6c1a1ddffed4b2efde4d2292314be9327a68629480b945dc806b27b6bf569f

SHA512
b873a9acd197515e98ba93216b2f428548e32de2e736d505cf335e074e7f857849f37496de22fde938f697caea4a9e697ea96afadfbf3b90fa8b54b167ce7c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
706e5a6968eba42dba33c6ef305d4db0

SHA1
a11c4c3e15a653ea79b42c5e9efc92a0bf779bc2

SHA256
3519a2e0b044d32c84d575f07e0fcece2511b4ed0d03256d01a1fa4ce0bc368d

SHA512
c567b835cce81dbf63448851adfdf13996bd889e80fa04f1efa2058cc33d8d0b68b95fdb5a107e7953e9cf2d2cc1e5febaa734f1b9a601e863105be8efc71446

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
03dbd01c3a379e6ed9be7c4c65b87af8

SHA1
3c0c600bf5b6971098505ad81e406690077acc4f

SHA256
edbe2dde619f667b4872313fba0b910b2e1c2eb4720569d41f411b41c76fd67b

SHA512
4a4ca19db641ffcef3628e0ecf03f1e305114651a4c176dec3da60312929250d615c4b3516ce7f5d6be66ec404dbb7fa54fbbc9f05270c301134d1e0855e2952

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ed1ffc9ba23a24816061ef70fbd28891

SHA1
1732079d742644395bb81dc10093ee4fd13ccef6

SHA256
d9532f529de7f92618ceb43838a6470e8036ee2deb8b4d1cd367c0741eb25ca8

SHA512
0da9bc133fbc5b4dffe32e52c280cbddec840a548952f42b77db739755920be0f4fc1579d0373029b955f0959a95543e089989dac6741880497f32801284b2a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
557454f57bc9404d22d608417e5bde04

SHA1
9c9b97cafab772e3f37519302742eeab6ffa6c6c

SHA256
cdd98c4781aacc92e92f74fb69f30ed5fb26a4cf0d88cbc2c43ec3482f29e6c6

SHA512
e5fd382e49bd5489040bc0d649f12b723a92b93c4696227af49012cd44a945881067097d78a205fbc0783592981a258356379504b23b8c81ea583fc29e65ef4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
171KB

MD5
9f903f4b46fb3cdfa1794fda8314a6b4

SHA1
8eed70cf9c8f2e84b6aeba62858741c768fd4586

SHA256
1be5542bb01faa8283c1074e2accadd2c55596aa1d16399eecbb9cede418de48

SHA512
af26fd6fe353e9825364787d4660eaf93019951c08b03c20c01478e79a07d67f54fedd528ed6121b7ff5053d78e1dfddcfe58d644046c91a0312e64a768aab72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
935018035208ed8ce324bbde9747e310

SHA1
32a4152d257d20f30f14b41e8c9370749a14e201

SHA256
ea37cd844a6e1f27a8e5eef19c8ca435e771e74d510cc3882993116a1eec9b0a

SHA512
a2c4b5a65e012b4a4d1b26c67c184bb3f6b4edcb83baef2be2fcda3b08619f0e74473bc1bc7c93817e0cbdc5ddad331fc9fb151a9523d4653075efa0981ede97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
e2a07c68d8c4751940a9afb83dec95bc

SHA1
91bb6491dc55402a04ee32dfa2d680a42044fab2

SHA256
515b3d6a0801e94ff285fae1207474496e92abb60d09eb2cdc5d5a780d0559ea

SHA512
6fc4e4e122ddb35f49824dbed0a4b1e714a71cb1e69e26e115dd4818ec084d3e23b4516bbef931c6bd552654c471680be30756bb5789b154fa14678b59ec106a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59debe.TMP

Filesize
97KB

MD5
165ba2aaa51a7a1612242b866acc1a33

SHA1
84015085b94f82fefa3a09fafedd7b3260c5cc0b

SHA256
a45d1fa5203922aab43ea6b2653bf36c4a1d954a454c7aea35b64d06e2b3c685

SHA512
07a610f950907cfedb80533dc46ea150e57e0875e36b06d3c518df31ca33570b33a318cae65ad1ca9bbc5ddde6308e76c9013d40c661e87bec8de86df2ca6fdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\resource_hacker.zip.crdownload

Filesize
3.0MB

MD5
672f980eee75e8223060661227ba884f

SHA1
86fc38aed09c5a5de4f766b2eb6f5675eaa30489

SHA256
d158bebc2993cf6bebf2c23a93572a68544c2ba5ae056538f70a58075c9392d6

SHA512
bfb13c2b9a88634a9980b95e70a919de7139c49ab56903b86b88603c8ecfb7d0a0363a5c72657648622dd19b74c52b85fd59e2833de2e26fdf069774c88e8e57

Download Submit
memory/2180-281-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/2180-282-0x0000000000400000-0x0000000000988000-memory.dmp

Filesize
5.5MB

Download
memory/2180-283-0x0000000000400000-0x0000000000988000-memory.dmp

Filesize
5.5MB

Download
memory/2180-284-0x0000000000400000-0x0000000000988000-memory.dmp

Filesize
5.5MB

Download