Resubmissions
18-06-2024 10:26
240618-mglccatcpr 818-06-2024 10:22
240618-mefdbatbrp 418-06-2024 10:17
240618-mblqxsyglg 818-06-2024 10:15
240618-majvyaygje 818-06-2024 10:13
240618-l9cp8stakr 718-06-2024 10:11
240618-l7x86ayfke 818-06-2024 10:08
240618-l6ds5ayenh 818-06-2024 10:05
240618-l4jatssgmp 818-06-2024 10:03
240618-l3pq8aydqc 7Analysis
-
max time kernel
108s -
max time network
121s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
18-06-2024 10:05
Static task
static1
Behavioral task
behavioral1
Sample
erdre gdps.7z
Resource
win11-20240508-en
Behavioral task
behavioral2
Sample
erdre gdps/desktop.ini
Resource
win11-20240611-en
Behavioral task
behavioral3
Sample
erdre gdps/erdre GDPS install.exe
Resource
win11-20240419-en
Behavioral task
behavioral4
Sample
erdre gdps/readme
Resource
win11-20240508-en
General
-
Target
erdre gdps.7z
-
Size
1.1MB
-
MD5
ca9d500698c249375695b698dca4ea46
-
SHA1
ef9ca55537b6cdc5c3b5957e5bf035c65a100a65
-
SHA256
de5512870659824110a206fb3f960bb8dd913c981fc0eb87cf2f49159436d78b
-
SHA512
de564faf97f75340c8fba864728b069f3200f616fb21e60317dfdec62517e89245f0a533c010e3d2c11fa946616b0ac755725769798b24025935c82386cddbf9
-
SSDEEP
24576:SOAFN36gv0uG7myXkH/1SQQtGao3PH4N4GKWyNSTvxU/l:SOMlvMkH/2QT3v4yhNEvWN
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
7z2406-x64.exepid process 1136 7z2406-x64.exe -
Loads dropped DLL 1 IoCs
Processes:
pid process 3240 -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
7z2406-x64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
7z2406-x64.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7z.exe 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 7z2406-x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133631787551639708" chrome.exe -
Modifies registry class 23 IoCs
Processes:
cmd.exe7z2406-x64.exechrome.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe -
NTFS ADS 1 IoCs
Processes:
chrome.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\7z2406-x64.exe:Zone.Identifier chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chrome.exepid process 3172 chrome.exe 3172 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 3124 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
chrome.exepid process 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
chrome.exepid process 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
chrome.exepid process 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
OpenWith.exe7z2406-x64.exepid process 3124 OpenWith.exe 3124 OpenWith.exe 3124 OpenWith.exe 3124 OpenWith.exe 3124 OpenWith.exe 3124 OpenWith.exe 3124 OpenWith.exe 3124 OpenWith.exe 3124 OpenWith.exe 3124 OpenWith.exe 3124 OpenWith.exe 3124 OpenWith.exe 3124 OpenWith.exe 1136 7z2406-x64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 3172 wrote to memory of 5056 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 5056 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4720 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4064 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 4064 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe PID 3172 wrote to memory of 1840 3172 chrome.exe chrome.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\erdre gdps.7z"1⤵
- Modifies registry class
PID:3820
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3124
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd0587ab58,0x7ffd0587ab68,0x7ffd0587ab782⤵PID:5056
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:22⤵PID:4720
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:82⤵PID:4064
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:82⤵PID:1840
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:12⤵PID:4080
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:12⤵PID:3540
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3504 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:12⤵PID:2116
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4336 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:82⤵PID:1468
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:82⤵PID:1884
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:82⤵PID:5040
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:82⤵PID:2180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:82⤵PID:3188
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4352 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:12⤵PID:2304
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4484 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:12⤵PID:3820
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3240 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:82⤵PID:1472
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5032 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:82⤵PID:5048
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5044 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:82⤵PID:3372
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:82⤵
- NTFS ADS
PID:396 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5292 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:82⤵PID:4428
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2620 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:82⤵PID:1464
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1808,i,15196827825124634275,4460141798549860022,131072 /prefetch:82⤵PID:4716
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4252
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3676
-
C:\Users\Admin\Downloads\7z2406-x64.exe"C:\Users\Admin\Downloads\7z2406-x64.exe"1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD57ec019d8445f4dcdb91a380c9d592957
SHA115fd8375e2e282a90d3df14041272e5ac29e7c93
SHA2561cc179f097ee439bb35a582059cbc727d9cea0d5c43dfaa57f9f03050cfaea03
SHA512d71a79091fcc6a96c24d95662a18cc24145b9531145ef0bcb4e882c12f5bb5ca6c7a9b9e50024c9c0bf4cb6bf40dca7627cecbfddd637142d04a194e1956ae9b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2606e96e-5ddc-447f-ba06-97573aef05f5.tmp
Filesize7KB
MD59094ba3353aff1bd4afe107abac9f792
SHA1a65c5f08e56a897930a17124b2dfa877ca66ba6b
SHA256eae6269447eb9a79e7daee81846bf23f46cb22533524c6e90f767f301854ad20
SHA51292bc46e9522b719661e9c92ae6dd2ecafba08b02fdef54fbc07cbff67801b064125053aab9e5580acde5b0445934fe9b07e677237102f6e92f2699983aa4bc73
-
Filesize
408B
MD59838896c9fba88e51adf4ca014e3a174
SHA107ccbb1817b00cdcf9292619c3fddfd8dd3d15d6
SHA2567dbabaea90ea36fc1684a927fa6c251ca59e0581e9cf52338e2286eaa5892e88
SHA51259d52a43886931f8170f4ce31c496fefbba40efa2f2a81c4817934e1472f8102499e074974027109894584f371dfe8f93ccd25e7ac8fcf52357c015cf12f02f3
-
Filesize
2KB
MD5a2dcb04c0d0124d937c6f6f846644006
SHA1403509c3486e16f3b4be13af2f5de06ba656b411
SHA256c63141286633932eab4a07290969ba52f2be4ce1ad6bd33dbc4a58395b24162a
SHA512d31d6181e52052a404743c16a2ffba2fdd2ac17a490fbc5f0a1d09484d5f4fdf1718cae9531d24f06b628210198a9c24c20494e60364f5ecb47ccfbde2fd7176
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD59e7e83db92044dd7a3470bd5296d2a97
SHA1a439f6ce1cda91a634f08dc7a71a79494aa83901
SHA256f3fae87d002507293787e4692c10e88d0656d31a7002c33c671b47fde49c86bb
SHA512cede6328ece2987226d032c734bd74104f24224668457ca112abf69f197be75584b731873bd1460c2269b811beab76558480de1ddd0c5f13f2fa2138475347f7
-
Filesize
523B
MD5b3760089a9091f50cb2c3744241b3797
SHA129bd9891d12f5c7e16a75c4cd80044e3c482fd7a
SHA2567ca1e846bcbb9bf81543ea11f7c54d7f3d5c4e70a623182e87893ea7e84ef49f
SHA512eda3c323afac1db29b51aecce06a42b819d4cbd0681845420d541adbf94f56b42cb62b754af5f19f30e376943690bc2ec55e567f797ef0dc7e8cc4900d0e92e4
-
Filesize
356B
MD534be2bb4330ab7076120443a30c53617
SHA12d192b1a8afb39e45caa3b6b03d8043f53c0064e
SHA256f4dd6eb5442cf35187682ba3a9f18f5ef8f18ef227e8e2bed8057d924196f69e
SHA512009c3e34aa7be65b7fb3ad1395af88fe14b4630f08c16ea5e2de44107bf3c41ead89ed5cb3cc12476986bee96195e77e37a59ee25c7c56b0b51809bc836004b7
-
Filesize
8KB
MD5238b700335ba41956312ff75453e1b86
SHA1c3be210fc8d0b3ff6101efdf924b6ae92ea0cdc3
SHA256636399faa3114a3aa57066147523be03c02771c2375514bc38bd850a4e6b6381
SHA5124a84dd8664f8c7a098ed27abbe7896bd5d4b96b682a4f3f48fccaa3bb86e4f1aab57280d421ac755f6fb3ba203fcf132bd2597de5f8b6c8859c034fb43619fd1
-
Filesize
7KB
MD56b13b22d69d3c20821f680756917fa3e
SHA1a3f825fb75b702ddc80baf1962d6bc569a387f17
SHA256575af0e710e3650d03d185602443079ac9a4acd2bc78565aa125f78e6225fd5b
SHA512c2fb2627618a1118f71101fab8b7cc001bd472352e0127e6f251998d00111de0ce664ae78a814d1706bc4122dccfe000f78684577e9b613c939b752a60290a1a
-
Filesize
7KB
MD5f96aedd2e5b3d28963453a091c0e596d
SHA18ff9c1a00213755ab5b812dcde9fc926c2b36a24
SHA256e3104bafc501a72a66a95f6bfc365102314a77272855c3b866fbf38174b9c222
SHA512a7626730425f4238764ac65cc19b0caaf4ee4bdf56bb787b9ed1216c887b5913c256e2518d1641bd23a8cd6c237f0e0a05c749a888f60f1a3ee93ebb9659ee9c
-
Filesize
7KB
MD54a994d6216d705bbc9667138dc017577
SHA1ea664456e5928b637d1604692cb73f5fa134b6a4
SHA2560abda12af7eb7e66c3142456c68f8de53e5b35710c365410c59cbd08db930ece
SHA512e1e159c69c382bea23c566528e6455ae78730b3139f376c19b90c26ce40a99402b45ddbc863f6e1f9a7c751f262b96fd7a39e7d1743b75743cb3ed7524b04898
-
Filesize
16KB
MD5cbc94b4457422f2eba404c8855810674
SHA1e6b56a55c8347c2608c53465e11d360221640e4d
SHA25619869ad883660428da79d6c71924ca22360d85a141753184d548858b20a82b72
SHA512e3278ce2ae6bc339fde5517bc0576ce6649381e004eb22ebc5e95430d14699636af0ee279eb0479246a7772efe40362070be09b51928f068701227eee8765c9b
-
Filesize
269KB
MD5abb210ca4fde545a5ce8f51b7a1999b1
SHA10c97e80a609b741bcdee2e54dd28d3378a3210cc
SHA256d7daa50e409a4358f469268030fb13f5e4749e916713c45e35acfff9b606f4e6
SHA5120edd5a4538cfa973169159bb1fd2ae6dec8881264819b0602b1358103ff7667a42e4f58632d25825de057ccb56bcd37ed31c529f9ddceb1a7783e78922399ada
-
Filesize
269KB
MD5461d7eb4a9c7ee20be34adad1106154d
SHA183587859aa409e8deadca35901d34b052a95b641
SHA25652144aab888f485944b36bdd76f8896a2020f61d6f5de8fa9d64de4f52d5bc45
SHA51235bf7663aae800289795e1bd3dc53a1167fe9a96299180807ed3495c7d9d3c76b393243b1091d581558fe70289e586fa253b31aca3389d757e1602f210c7c5f7
-
Filesize
92KB
MD5d6b406325ecc5091083a02706a28884d
SHA1a9dd7bfcf432927107bd5bd4833758c02f900157
SHA2568988dc7d6842a805a743cc93727569c5a94426c4172cf49e637496aa0964fa60
SHA512309da37fc94d7cf91c8566fe24f058427be9b01817cd3adbd1b166f71772192d3f29543d31500d255c0a5ad3b1a0f4b9167c57737628ebf665bd43c9f2e85cc9
-
Filesize
88KB
MD5469fc00c97518fc465d6e933b0c2af0c
SHA12dddbc9fc6a808dc83fa185651d555e7f96565e0
SHA2562a0b1916d0cb5933388301c6a37e0a46ab8faf61c4da8898611291e98a82e29e
SHA51212c2762c7cb6ea78c074aafcb62f22cb5d49f966a65c97f9a0c96adedae4667330296b1da053114bbc50b5ccbc022aeaec9b85b1ae1357b46aedfe47ccf68a03
-
Filesize
83KB
MD5809193721b61bb9543e202a8b655267b
SHA1b19c08b78cd68977c7624da961b6f82f926891fc
SHA256bcf1110cb8df112ab0c43a7524c7b3bef1c39b048de53b21ec8bcac0bb33ea1a
SHA512697f2b120fd0981dbad6bfc37d8aec161108d94fd19566a21c41d127cba75f1f6ffaf42f84eaa1d74525316f0fd8fae55ab04c9383e2647fd6082680d6fd09fa
-
Filesize
264KB
MD5fc54ffdb253aaf06e5ede9b3aa734029
SHA113c2f2885564cc687cfa5fa07b1b0e01498222f7
SHA256888a5a444b40042b4c3c636f14d9327d7ec850cc4e0ead79fab82f750a660ccb
SHA51271f3f809705e955e080070b7fa78763fd81168274f8612a86d513c952922ff08c971fec7ed161c67bdc82a2a1c549f61e08eb0d3c9c3460b4921d0c676e638e8
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
1.5MB
MD5d8af785ca5752bae36e8af5a2f912d81
SHA154da15671ad8a765f3213912cba8ebd8dac1f254
SHA2566220bbe6c26d87fc343e0ffa4e20ccfafeca7dab2742e41963c40b56fb884807
SHA512b635b449f49aac29234f677e662be35f72a059401ea0786d956485d07134f9dd10ed284338503f08ff7aad16833cf034eb955ca34e1faf35a8177ccad1f20c75
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e