hxxps://github[.]com/fractalizetech0104/GDI-Programs

Resubmissions

31/10/2023, 20:26

231031-y72b2add6z 1

31/10/2023, 19:41

231031-yejarafb77 8

Analysis

max time kernel
110s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/fractalizetech0104/GDI-Programs

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Modifies system executable filetype association 2 TTPs 47 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\lnkfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe

Registers COM server for autorun 1 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2MASS J07225830-2546030.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1920	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133432549535432052"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BC173C05-2DF7-314F-8087-7CF97F5BE921}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\6.0\HELPDIR	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.dts\shell\Open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\AuxUserType\3	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BB1A2AE3-A4F9-11CF-8F20-00805F2CD064}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/xaml+xml	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\outlspam.SmartScreenFactoryOutlook	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.jpg\AppX43hnxtbyyps62jhe9sqpdzxn1790zetc	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Windows.CBSPreview_cw5n1h2txyewy\PSR	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SVCID\01366d42-c04e-11d1-b1c0-00c04fc2f3ef\Providers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020800-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\ProgID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51973C50-CB0C-11D0-B5C9-00A0244A0E7A}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8706233B-BD4C-11D2-9238-00A02448799A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Explorer.AssocProtocol.search-ms\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C033A-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03CF-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\IE.HTTPS	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3147918054-4251542582-2404553452-1793583264-1546801782-1235146273-4024180735	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A6872888-D8A9-3BFA-9EAD-0998D01E37D1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CE7E6FDB-9CAA-3431-A81C-A687DED63821}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\Sharing	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\shell\ViewProtected	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.ProcessLauncher.1.0\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\IE.AssocFile.XHT	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.gif\Shell\setdesktopwallpaper\Command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EED3392E-C13A-42A9-932F-145C12B4FB5C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291EE2A7-BFA5-4e9e-A358-C93655556A6C}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\Elevation	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Forms.Label.1\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DED6D613-A3DB-4E35-BB5B-A92391133F03}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4AC9E1DA-5BAD-4AC7-86E3-24F4CDCECA28}\c.0\0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7916644D-9109-3ABD-90B1-B24292556FC3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020803-0000-0000-C000-000000000046}\InprocHandler32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\Elevation	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B83E7CC-51A8-4FF2-98B4-8B321853DBD6}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{62B891E0-8122-3D7B-A460-521188144D0F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.flac\shell\PlayWithVLC\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\wdpfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\VersionIndependentProgID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.12\shell\Edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset\CN-GB	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-msime-imjpdct\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{814B9800-1C88-11D1-BAD9-00609744111A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FB55F3EB-2F7C-4410-982E-ED9BC7812E32}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0\win32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74A13FDD-9BCF-4229-9CAB-0079A5E17A25}\Programmable	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Forms.Form.1\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\RDBFileProperties.1\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020811-0000-0000-C000-000000000046}\AuxUserType\3	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\DataFormats	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2C1156B5-27D4-329B-B946-C3C66207AE75}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D6E78E55-7EE7-4A31-BF3E-B01E819599BA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8990CB3B-227E-3A43-8264-0057EC763FA0}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.it\shell\AddToPlaylistVLC\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\wordhtmlfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C7977F4-DB5B-4977-9A41-C7344CC43DB9}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.msix\AppXa4x21t18evxksm0kbe6znaz8jjrjvs9e	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameCallableUI_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy\Microsoft.XboxGameCallableUI_cw5n1h2txyewy!Microsof	reg.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry

T1112

pid	Process
4392	reg.exe
3924	reg.exe
4804	reg.exe
4916	reg.exe
4708	reg.exe
4044	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1596	chrome.exe
1596	chrome.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1596	chrome.exe
1596	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeDebugPrivilege	2748	taskmgr.exe
Token: SeSystemProfilePrivilege	2748	taskmgr.exe
Token: SeCreateGlobalPrivilege	2748	taskmgr.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
376	2MASS J07225830-2546030.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 3304	1596	chrome.exe	66
PID 1596 wrote to memory of 3304	1596	chrome.exe	66
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 3664	1596	chrome.exe	91
PID 1596 wrote to memory of 2236	1596	chrome.exe	92
PID 1596 wrote to memory of 2236	1596	chrome.exe	92
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93
PID 1596 wrote to memory of 4780	1596	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/fractalizetech0104/GDI-Programs
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93f5c9758,0x7ff93f5c9768,0x7ff93f5c9778
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1864,i,13107155008871092150,17610818212431258434,131072 /prefetch:2
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1864,i,13107155008871092150,17610818212431258434,131072 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1864,i,13107155008871092150,17610818212431258434,131072 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1864,i,13107155008871092150,17610818212431258434,131072 /prefetch:1
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1864,i,13107155008871092150,17610818212431258434,131072 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1864,i,13107155008871092150,17610818212431258434,131072 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1864,i,13107155008871092150,17610818212431258434,131072 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=1864,i,13107155008871092150,17610818212431258434,131072 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1864,i,13107155008871092150,17610818212431258434,131072 /prefetch:8
  2⤵
  PID:2172

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3024

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5060

C:\Users\Admin\Downloads\2MASS J07225830-2546030\2MASS J07225830-2546030.exe
"C:\Users\Admin\Downloads\2MASS J07225830-2546030\2MASS J07225830-2546030.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im taskmgr.exe
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
  2⤵
  PID:992
- - C:\Windows\SysWOW64\reg.exe
    REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - Modifies registry key
    PID:4392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t reg_dword /d 1 /f
  2⤵
  PID:4936
- - C:\Windows\SysWOW64\reg.exe
    REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t reg_dword /d 1 /f
    3⤵
    - Modifies registry key
    PID:3924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
  2⤵
  PID:3412
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:4796
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:3628
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete hkey_classes_root /f
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\reg.exe
    reg delete hkey_classes_root /f
    3⤵
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Modifies registry class
    PID:496

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x390 0x414
1⤵
PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2a196af5143d6801bb9a355984a63c78

SHA1
db2188b777be837f83d5f085f051811e305bf3be

SHA256
35995f35000ff9fce595169688d9809b530777cfea58387cea8f0d06b3599d27

SHA512
f8f89fad16f1935f865565e3df37dbc72dbe5dfca246ab9244d89b1c503ee9b08ce7b3d36209fee7c4fc47452d53f54c27c32fbd1dc58ba37d4cae97b0f23f61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3b43728135236ec6d377712670c469b9

SHA1
36e1ddff6d8378472560a3c5f8e07e40448def58

SHA256
0e831f091fda02e5ec4b7d15a28f6ec6e1eef7c34d2f2223c308c216f340390b

SHA512
79ad215e9237f66031b03d9926588a97386e33eb70d13d4d5e7da7b3c8783d0ef1dec71b1a87891076564bc7d2b74724f152e28261ab9c5b810a6a2b6b22f2c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
165633caec85e74702ba9381e8bf2658

SHA1
8984aabac8c88776f9248a85be9ce3d3d590ce99

SHA256
ffde6f39bda4f7a81237b86cba84ef2a84834420f3b84819794d5f4868966c49

SHA512
590bc59281568f853303aba2f74ec3ce78d14467a24603af570657748a9869cfebc3516f2726dc5bf802b12c8d9b4d5e813f99a646f708b463d8c2b77772ae21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6acd89c80eb1595b5521926bb7d5d179

SHA1
e59c10cb2a68589eef4027e3176de47c0e18f12e

SHA256
398d8345d58e8486296e83af6e4b1bf0cdd77128153bc0043a03b428dd0452d1

SHA512
0e4b31cc069883d8fe543cc72753e872de1ccf5c93f5a2a8ef542322a7052a4f4cb863f63e2007fb8b00e10e7e343109a945f0e375099b09675f228e8461af43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f7105bb54d79f2ba4553a6a4569396d7

SHA1
775326760721f5c9bc77db139936b8fa932b745e

SHA256
a4abc52af5ee70f9fb27102b491aeeebff528db266ff8ac4bce1152ca7b8290f

SHA512
9a071ae504a3e33cde26a6d363ab03e3158580babdb37db36741aa91bfb4436230ec8c048366091c8db72e7ccd52f43f3500650e332309b496b815765c681f96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c6c0ff1c7086a0ef81d1ec2f8e2effb9

SHA1
f9b71f2eef81946d4cd4e6753a5b5861a8b75b7c

SHA256
906d03e9dc508849e0699e3054943210267112eb80b5d0f0cb11980fe705b55f

SHA512
a65150c443d53b13d2fde8937a108ce816b05603f2d444d3655ee821c6bb027f9dff0a3ab9526008ef70e39561f19c309ceca9843c657224ffb432ac1d832952

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
34b0660f330b762b06cee7ca74e811bf

SHA1
0646003b216393def5d0acc9b5603a7acb2f5f63

SHA256
3414b7c43802a1e08cfbdd4433993a9474b6703547121d0229b93bf787751e69

SHA512
fc539cdb83e585020798d2aeff67dd3bdb6ba34065c83b5777d5ff3b043e348dd726668a2fcc911946ae75bfd39b99d7ba6361ecec7e35dc56173f452548fae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a07fa38fd599205e0bc47d35622f979b

SHA1
760659ef0bdbf292e4a7e607d1415866c3f1f9fd

SHA256
2a41ed80ab16e747d1cf6ce65d88ce0856ea4b73ad0b35879ecde39887329836

SHA512
1115e1825464d166382b1ed625172e2ef1e85fb18ed8ae0d97fe84257157cfe50abf0e607485e37f0569182c61edf684d25bb65113783c7684e90938343db9b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
66b033698520031f9f4887992563903b

SHA1
04064a0efa66b11ea9f3567bceeff4f2c042c3f0

SHA256
f2939a0fac69f2b24c5b289516d1e14c1532fb92c0686935c78fc1f434c4c361

SHA512
d1755a7824c31b2aefd6ea0ef9ce7cececf2916581924f4bc10fac5498c60476b6a040bc5ebb5fd2b8bcfaae4e7e61e472d02871fee3a38c7cf12cf71274461b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
397497f604a5b1842972f1f7e85d9df6

SHA1
cd51224783e9645b7d548ecb24460d999ab3a4d2

SHA256
a4a77f31145b56c553332c73286896e807654ab733410b32f4f1c0e4518ea9fa

SHA512
5204288fdbd42530191b9408d9d6502fbadfa1ec3edec66bf49dbd35a90fd821a4c9ddc7886f080f4c938c7747d44692fd1d92074b10053b45fe9be623ed8538

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
504bfafc742f79e0e4cd5ab8eacc6b4b

SHA1
479b8e84bd96275f76b881b56b62879abe5d0c40

SHA256
4945c99d010851e016b2c91dd1dd4072e44f83230ec31e145420cd460d309334

SHA512
c714e867270ab81655e120556e0c0107ccfca54704b48aa3bdc2c1d715db0ea851883700523f281e28925145a4680fcb5ac34c0dda60c7b9fb9399036525962d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
5b5bc6a321d2e8d80fbab3c853f281b4

SHA1
5ba3a717855296c0d68018619fdc99876267a8f1

SHA256
f223f12364627d195f18b54dcd9754415dcbdf73f535e8a58a0adb2807f19c36

SHA512
0a16f919ace32ac555c4af5066f4d14053fa13a7d8a5c0826ef854c9a336fc7f32004bf2cad1bfdec37d8fb463bb3ca00fb3135a88e6e6ed576d420fa52d20d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
8b14fdcd3b5608848342d05a22296ffe

SHA1
29d6fc7aaf341997d14269df3baf9536cca38caf

SHA256
898af48e5dec2742baf7216049ae992f687d9cdcca347fd28383f2f0888c8a4b

SHA512
e2bc9509dff5e84d9f644edb50c8d2ea4306a7614904bdbced6bc83e71c66185333a884d1291059e7733ffe3cf76274f9b82e21edf7e7bf9eaf42d05080c2f33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe586424.TMP

Filesize
97KB

MD5
681231f73e22a99fc22d08dd0d6cc593

SHA1
75b23e6624f85f3e44d6a66d66fcaa6d540c866e

SHA256
6577b07b1a1cd8b14fce5d45d9613b2c9d8ab8410da1a10052706784dd27e6ec

SHA512
b58a798b852b119f929f57666a71c414ead2ec69c4c43cc3d70555fc75d5aa8d79f11a81ea016034ce5e12c16e86a123f101416260fc40d883794af1dba2eca3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\2MASS J07225830-2546030.zip

Filesize
138KB

MD5
b5b4e346b16e21dcf9b4ab57bea6d501

SHA1
2018293d5788915c7773b8cd791499f1769469f0

SHA256
db1d8bc3f4a02fb4e6cc5769cb9ee40bc8142800224772c367038d770305d4d9

SHA512
4bdefed9995523b2e073810a0669b80ebe6607ad65bf0d1e43cdb4986fcecec6c13d2ad56be35b47af194a08381e640b382a412245430b11d1fd708924b9a644

Download Submit
memory/2748-131-0x0000022752BB0000-0x0000022752BB1000-memory.dmp

Filesize
4KB

Download
memory/2748-133-0x0000022752BB0000-0x0000022752BB1000-memory.dmp

Filesize
4KB

Download
memory/2748-134-0x0000022752BB0000-0x0000022752BB1000-memory.dmp

Filesize
4KB

Download
memory/2748-135-0x0000022752BB0000-0x0000022752BB1000-memory.dmp

Filesize
4KB

Download
memory/2748-136-0x0000022752BB0000-0x0000022752BB1000-memory.dmp

Filesize
4KB

Download
memory/2748-137-0x0000022752BB0000-0x0000022752BB1000-memory.dmp

Filesize
4KB

Download
memory/2748-132-0x0000022752BB0000-0x0000022752BB1000-memory.dmp

Filesize
4KB

Download
memory/2748-104-0x0000022752BB0000-0x0000022752BB1000-memory.dmp

Filesize
4KB

Download
memory/2748-103-0x0000022752BB0000-0x0000022752BB1000-memory.dmp

Filesize
4KB

Download
memory/2748-102-0x0000022752BB0000-0x0000022752BB1000-memory.dmp

Filesize
4KB

Download