90b4c76ce16075ee50be5906a281df0f6741bcead0dd604f1048113adb61c6ab

Analysis

max time kernel
181s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
Size

159.4MB
MD5

43e39ee1d462c93244b9c89b0307a1ad
SHA1

c112ec93ca07a5a3bb0cf20efd10ec6453d21edc
SHA256

683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e
SHA512

e9b39a4042ee54fbbee88afe43443fa5eae5f6ca014b314383470c10590787815a9da0b6221f29a196d148eb28a412dfcd88088b9cd49ed0fb0ecd1ade9bec23
SSDEEP

3145728:7CnCREuLyywaoZ9EOrGpvTxr/4kI5aFQh:7CCREQyywN95CFTxrA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe

Modifies system certificate store 2 TTPs 6 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1296	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
1296	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
4384	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
4384	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
5040	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
5040	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
4608	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
4608	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
3968	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
3968	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
3968	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
3968	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 1296	4804	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	95
PID 4804 wrote to memory of 1296	4804	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	95
PID 4804 wrote to memory of 1296	4804	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	95
PID 4804 wrote to memory of 4384	4804	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	96
PID 4804 wrote to memory of 4384	4804	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	96
PID 4804 wrote to memory of 4384	4804	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	96
PID 4804 wrote to memory of 5040	4804	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	97
PID 4804 wrote to memory of 5040	4804	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	97
PID 4804 wrote to memory of 5040	4804	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	97
PID 5040 wrote to memory of 2664	5040	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	100
PID 5040 wrote to memory of 2664	5040	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	100
PID 5040 wrote to memory of 2664	5040	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	100
PID 2664 wrote to memory of 1236	2664	cmd.exe	102
PID 2664 wrote to memory of 1236	2664	cmd.exe	102
PID 1236 wrote to memory of 2856	1236	cmd.exe	103
PID 1236 wrote to memory of 2856	1236	cmd.exe	103
PID 4804 wrote to memory of 4608	4804	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	104
PID 4804 wrote to memory of 4608	4804	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	104
PID 4804 wrote to memory of 4608	4804	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	104
PID 4608 wrote to memory of 2468	4608	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	106
PID 4608 wrote to memory of 2468	4608	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	106
PID 4608 wrote to memory of 2468	4608	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	106
PID 2468 wrote to memory of 740	2468	cmd.exe	108
PID 2468 wrote to memory of 740	2468	cmd.exe	108
PID 740 wrote to memory of 1936	740	cmd.exe	109
PID 740 wrote to memory of 1936	740	cmd.exe	109
PID 4804 wrote to memory of 3968	4804	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	118
PID 4804 wrote to memory of 3968	4804	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	118
PID 4804 wrote to memory of 3968	4804	683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe	118

C:\Users\Admin\AppData\Local\Temp\683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
"C:\Users\Admin\AppData\Local\Temp\683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
  "C:\Users\Admin\AppData\Local\Temp\683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe" --type=gpu-process --field-trial-handle=1704,10568805017264404059,18337702041039726371,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --no-sandbox --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1712 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1296
- C:\Users\Admin\AppData\Local\Temp\683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
  "C:\Users\Admin\AppData\Local\Temp\683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1704,10568805017264404059,18337702041039726371,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --no-sandbox --ignore-certificate-errors --ignore-certificate-errors --mojo-platform-channel-handle=2072 /prefetch:8
  2⤵
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Users\Admin\AppData\Local\Temp\683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
  "C:\Users\Admin\AppData\Local\Temp\683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe" --type=renderer --no-sandbox --field-trial-handle=1704,10568805017264404059,18337702041039726371,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app" --enable-plugins --no-sandbox --no-zygote --preload="C:\Users\Admin\AppData\Local\Temp\resources\app\lib\static\preload.js" --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2340 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "%windir%\sysnative\cmd.exe /c %windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
        5⤵
        
        PID:2856
- C:\Users\Admin\AppData\Local\Temp\683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
  "C:\Users\Admin\AppData\Local\Temp\683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe" --type=renderer --no-sandbox --field-trial-handle=1704,10568805017264404059,18337702041039726371,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app" --enable-plugins --no-sandbox --no-zygote --preload="C:\Users\Admin\AppData\Local\Temp\resources\app\lib\static\preload.js" --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "%windir%\sysnative\cmd.exe /c %windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
        5⤵
        
        PID:1936
- C:\Users\Admin\AppData\Local\Temp\683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe
  "C:\Users\Admin\AppData\Local\Temp\683c3a84406697e86a9186671e0205b9672c77779daed30328066a1fec8ca30e.exe" --type=gpu-process --field-trial-handle=1704,10568805017264404059,18337702041039726371,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2468 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ChatGPT旗舰版\Partitions\openaicnnnnet7dva\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
69791980faf98603b8704cbb7f3fe414

SHA1
b548ffedd898b258a131c425e5701d689727c0b7

SHA256
307dc70e3474beca9c2185988b1ac5e8bde4f2dbd4d8b63f97cd90363c44d988

SHA512
526f31c75618cce9ef32b2522ca37a1538708e65679d4305dd330ddc48b96a13bccb503a81ba1ffd8d3feb04335b36af288defd6db0b6e9c923d8a9579a37a23

Download Submit
C:\Users\Admin\AppData\Roaming\ChatGPT旗舰版\Partitions\openaicnnnnet7dva\Code Cache\js\index-dir\the-real-index~RFe5994a5.TMP

Filesize
48B

MD5
d15ecd7cc88531600d5ff092acdf1a0e

SHA1
3b7775d305c0ceb7b649a3f9fee122fd085f9ea4

SHA256
4cc62c71432dd6528032b9417ec5f640602b817c541440d05561805e868522ba

SHA512
44e6768336a7849710a6f19fdcb90f745b0688e4f198ea5bff5c932ed65c992dbe5d6058e8644a5210470ec0809ed2f4f5fa12551722cc9b643604e862ca0655

Download Submit
C:\Users\Admin\AppData\Roaming\ChatGPT旗舰版\Partitions\openaicnnnnet7dva\Network Persistent State

Filesize
458B

MD5
49094fd8455ef1d6bf77055c9eec4c83

SHA1
8320b1fd1bd23d7160d780aaba078ed965083da7

SHA256
4a298a730dc5b758841244ca14942c3e4db2504f97468c728f2c031dd38cef14

SHA512
e5e83e1d968c790665be03a23f0071156a6a9dbeb9c0bdf8599bf1606b17b013a9e3ee08bbb91f84cdb4f5e3d3c654ccb0a366adb7930d96f82587151b629557

Download Submit
C:\Users\Admin\AppData\Roaming\ChatGPT旗舰版\Partitions\openaicnnnnet7dva\Network Persistent State~RFe5a158d.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\ChatGPT旗舰版\Partitions\openaicnnnnet7dva\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\ChatGPT旗舰版\Partitions\openaicnnnnet7dva\TransportSecurity

Filesize
708B

MD5
72b8ecdf1f83ff1eb2cc5bff66205800

SHA1
11a1870c0f5fd7e80e97ed4b1238c720c58591eb

SHA256
e61d415c32625836d2f3d12cf9676c8d000d475ade092aee7288ee74c42bfa50

SHA512
1ed94ace8f3d5472877f652a3a8bbd5a9902c4cd417e429ac8d2c2ca1a53494aec4cf71bd715043f72e0b449e6683e0872392d76ec30d6423a481d6ada4d19cf

Download Submit
C:\Users\Admin\AppData\Roaming\ChatGPT旗舰版\Partitions\openaicnnnnet7dva\TransportSecurity~RFe596e60.TMP

Filesize
708B

MD5
216fc71680a27b2598bf6006286740b8

SHA1
57601182b4eae0dcde9270e3d30cd426d3adb273

SHA256
a00ac9472ed03b2af73fc9eea2635fea0e3d70da407e403790df116439b6cfd5

SHA512
22e90b1565f92b519f7be40336c443b020208cd56051d0cb26943d882e747a43d628b591d2e56edf4ca3629bc7313367ec33af159d8eb9ff98c3afd77b51956c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1296-28-0x0000000010000000-0x00000000103AB000-memory.dmp

Filesize
3.7MB

Download
memory/1296-105-0x00000000FF130000-0x00000000FFA97000-memory.dmp

Filesize
9.4MB

Download
memory/1296-103-0x00000000FFAA0000-0x00000000FFE34000-memory.dmp

Filesize
3.6MB

Download
memory/1296-69-0x00000000FFAA0000-0x00000000FFE34000-memory.dmp

Filesize
3.6MB

Download
memory/1296-47-0x00000000FFAA0000-0x00000000FFE34000-memory.dmp

Filesize
3.6MB

Download
memory/4384-45-0x0000000010000000-0x00000000103AB000-memory.dmp

Filesize
3.7MB

Download
memory/4804-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4804-3-0x0000000077422000-0x0000000077423000-memory.dmp

Filesize
4KB

Download
memory/4804-18-0x000000000BF70000-0x000000000BF85000-memory.dmp

Filesize
84KB

Download
memory/4804-17-0x000000000BF40000-0x000000000BF6E000-memory.dmp

Filesize
184KB

Download
memory/4804-16-0x000000000BF20000-0x000000000BF3F000-memory.dmp

Filesize
124KB

Download
memory/4804-1-0x0000000077422000-0x0000000077423000-memory.dmp

Filesize
4KB

Download
memory/4804-13-0x0000000009790000-0x000000000A19B000-memory.dmp

Filesize
10.0MB

Download
memory/4804-0-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4804-19-0x000000000BF90000-0x000000000C459000-memory.dmp

Filesize
4.8MB

Download
memory/4804-12-0x0000000010000000-0x00000000103AB000-memory.dmp

Filesize
3.7MB

Download
memory/4804-5-0x0000000077423000-0x0000000077424000-memory.dmp

Filesize
4KB

Download
memory/4804-2-0x0000000010000000-0x00000000103AB000-memory.dmp

Filesize
3.7MB

Download
memory/4804-14-0x00000000072E0000-0x000000000730A000-memory.dmp

Filesize
168KB

Download
memory/5040-106-0x0000000010000000-0x00000000103AB000-memory.dmp

Filesize
3.7MB

Download