aef13f3ec8abf777929e42aa3de86774ab8362f7fbfcc0475c7b912ce253c002

max time kernel
103s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoDox.exe
Size

81KB
MD5

ec51cfbde4a4df4eceb8313adf8d93ca
SHA1

f8925a067c34ab1b0e7da2de961af20247ace3fa
SHA256

aef13f3ec8abf777929e42aa3de86774ab8362f7fbfcc0475c7b912ce253c002
SHA512

1cc6c73c33ce6d00c102f9ed3c6733c532f131b00761fd4ff59cda87c560e3ce3e06dfcbb8a886976ae5084c9d36c3f02d9afefca5b1403c20b53735fe24bada
SSDEEP

1536:9rsgf4VFHlI++UIoyjyCL6sf+Fle8Ifvl1loJbh76e:ClI++UIZIsf+Fle8Ift1loJbh76

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645101534122999"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4980	chrome.exe
4980	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 2520	4980	chrome.exe	83
PID 4980 wrote to memory of 2520	4980	chrome.exe	83
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1064	4980	chrome.exe	84
PID 4980 wrote to memory of 1240	4980	chrome.exe	85
PID 4980 wrote to memory of 1240	4980	chrome.exe	85
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86
PID 4980 wrote to memory of 4912	4980	chrome.exe	86

C:\Users\Admin\AppData\Local\Temp\AutoDox.exe
"C:\Users\Admin\AppData\Local\Temp\AutoDox.exe"
1⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe673dab58,0x7ffe673dab68,0x7ffe673dab78
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1880,i,1911008861777563538,14388145918083641321,131072 /prefetch:2
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1880,i,1911008861777563538,14388145918083641321,131072 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1880,i,1911008861777563538,14388145918083641321,131072 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1880,i,1911008861777563538,14388145918083641321,131072 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1880,i,1911008861777563538,14388145918083641321,131072 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4288 --field-trial-handle=1880,i,1911008861777563538,14388145918083641321,131072 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1880,i,1911008861777563538,14388145918083641321,131072 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1880,i,1911008861777563538,14388145918083641321,131072 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4596 --field-trial-handle=1880,i,1911008861777563538,14388145918083641321,131072 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4792 --field-trial-handle=1880,i,1911008861777563538,14388145918083641321,131072 /prefetch:1
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3068 --field-trial-handle=1880,i,1911008861777563538,14388145918083641321,131072 /prefetch:1
  2⤵
  PID:1424

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4144

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
811B

MD5
5d656640048401b229643dd83c7a3103

SHA1
26d84f3467868235eefaf8b7f4bb02d4f8a4c827

SHA256
167824c77efb39d03e8d2b96bf06abfda64c0a30f7a190bfb5d20d2ab32832ed

SHA512
9f7935e61023eb2e607031574b7d5448ceadd9e767e57fecf619447b0d720291fd61d918e317821c8a2073cb93cc261f774d9e056dd64541f21a216579a81579

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1940311006bb6ee8de674d200e68a180

SHA1
3e5d3a09991d52f1bc06050dc33adfe2fa968d47

SHA256
cf77f95e342bba45a218269dfe752b2c9f9b8d1de3e1092a465a22cf24e4c55e

SHA512
ee94f455ffe6c20718172d29e5c0f9c420aff7bee0d525c5acf7a2dfa866f0bd034bee0fb6c410b6ff82420657eea21649391bf58c84b1e60c0414a4fafdda35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
edd22c159743dbbd615e83f42d0c0c1e

SHA1
c5ed005509396853ec2f6874e75b4e3cc4184e30

SHA256
7b52878b6099e8c0572dfa2da813b3ec576a8cb7eb87cc3060650f85bd168d55

SHA512
e0513b8c53c32f3f9c30387a4e66b238287e35babd46dfd7969d8a7b541c8a9303f42b9aa32a628e7955f13cc08dec93a404b9f23056aa3140c99c3714e1955a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
e9fe1502b69e3a67b6112f8aaa683a3a

SHA1
c892c86f0467c5fa93e7d81ec4690929f00e3d48

SHA256
2e4ae542141b24f086287457958270277c5e7449597fa8bce46e389088db5372

SHA512
28757c6c3521412d3c2e821d85d23d93bfd38b28ac2f6b3879f8527a11980ca8dcb40a918dbcf8cdf20cae9db01b01f220cf206e33633d478920f5cce0e4a73e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
76f17bcfdf66deedb26e10b8d744380f

SHA1
826a5341d38f369e2295d471e4f5164d45f0d409

SHA256
698086aba0dc3ef1d5d17f31f74e004d2005043be339093ef837d637d7aa1cb7

SHA512
3dca514d33c037089784392073510578d03f99e232574d72b02ee2581f759f27300bab5e5f669e4136ae46d0f54a7eecf6e44ba4305686c02131e872575b7d39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
4f9070e1bb50a57aab2b2a03d66ee04a

SHA1
3c9bd098d403b3768cb270024d5badc4fa62c3d4

SHA256
0025f056c45b5dfc8ecce199cf435ee2561b99575f822af8cd92fd270d661fb2

SHA512
33b7355b55d267f28c0368e493eb5e4a2a82c1a8ad84178e195974469165f4617e4ade2cf41a1bce6e22380be7ec75232fafafd7c5cf4b5b41775eb75f3444ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/2452-0-0x0000000000090000-0x00000000000BA000-memory.dmp

Filesize
168KB

Download