dd8f8169bbc35deeca4b965345598e99961506edc075cbae152c890431237882

Analysis

max time kernel
200s
max time network
191s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/08/2024, 03:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DDNet.exe
Size

3.8MB
MD5

47fc5a89ae017c483e504cc8aa3ab426
SHA1

0aaf22324ee36008b97fb2470e5a1e079bfc1a89
SHA256

dd8f8169bbc35deeca4b965345598e99961506edc075cbae152c890431237882
SHA512

c0bbb276dc98d0e816d697c7b819fd1cb76cc34ffcd49a77ecde525a0bdcce5395bbd1f67f9d108ed3f4348f032f640d1e4bc5c1f46d9e12e7e22cd792c7de3c
SSDEEP

49152:xQiZ4UKKikGWiCbQaIJBf/edNhJjEKxVik3DLxLxkgXvoT4ujLP1kZC2f9dYeMcn:jZbWRfRKfBLbXAkweMY7o5I1

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133673876385074162"	chrome.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.map\shell\open\command	DDNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.demo\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\CactusClient\\Cactus-1.12.5-public/DDNet.exe\",0"	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.demo\shell\open\command	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\ddnet\shell	DDNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\.map\ = "DDNet.map"	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.demo\shell\open	DDNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\ddnet\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\CactusClient\\Cactus-1.12.5-public/DDNet.exe\",0"	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\ddnet\shell\open\command	DDNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\ddnet\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\CactusClient\\Cactus-1.12.5-public/DDNet.exe\" \"%1\""	DDNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.map\FriendlyTypeName = "DDNet Map File"	DDNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.map\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\CactusClient\\Cactus-1.12.5-public/DDNet.exe\",0"	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\.map	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.demo\DefaultIcon	DDNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.demo\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\CactusClient\\Cactus-1.12.5-public/DDNet.exe\" \"%1\""	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\.demo\ = "DDNet.demo"	DDNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\ddnet\URL Protocol	DDNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.demo\ = "DDNet Demo File"	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\.demo	DDNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\ddnet\ = "URL:ddnet Protocol"	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.map\shell	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.demo	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.demo\shell	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\ddnet	DDNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.map\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\CactusClient\\Cactus-1.12.5-public/DDNet.exe\" \"%1\""	DDNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.demo\FriendlyTypeName = "DDNet Demo File"	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\ddnet\shell\open	DDNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.map\ = "DDNet Map File"	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.map\DefaultIcon	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.map	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\DDNet.map\shell\open	DDNet.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\ddnet\DefaultIcon	DDNet.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CactusClient.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1940	chrome.exe
1940	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe
Token: SeShutdownPrivilege	1940	chrome.exe
Token: SeCreatePagefilePrivilege	1940	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe
1940	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4560	DDNet.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 4924	1940	chrome.exe	85
PID 1940 wrote to memory of 4924	1940	chrome.exe	85
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 2868	1940	chrome.exe	86
PID 1940 wrote to memory of 492	1940	chrome.exe	87
PID 1940 wrote to memory of 492	1940	chrome.exe	87
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88
PID 1940 wrote to memory of 2948	1940	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\DDNet.exe
"C:\Users\Admin\AppData\Local\Temp\DDNet.exe"
1⤵
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa8a4cc40,0x7ffaa8a4cc4c,0x7ffaa8a4cc58
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,12905777629168636717,15780212471137183272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,12905777629168636717,15780212471137183272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,12905777629168636717,15780212471137183272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,12905777629168636717,15780212471137183272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,12905777629168636717,15780212471137183272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,12905777629168636717,15780212471137183272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:5608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,12905777629168636717,15780212471137183272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,12905777629168636717,15780212471137183272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:5404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3748,i,12905777629168636717,15780212471137183272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3228,i,12905777629168636717,15780212471137183272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5068,i,12905777629168636717,15780212471137183272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4884,i,12905777629168636717,15780212471137183272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3384

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4276

C:\Users\Admin\Downloads\CactusClient\Cactus-1.12.5-public\DDNet.exe
"C:\Users\Admin\Downloads\CactusClient\Cactus-1.12.5-public\DDNet.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D8
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\893a794a-3dc9-452d-bc31-77134022694c.tmp

Filesize
9KB

MD5
64945d3cbd95e603a316094805836f59

SHA1
7e15be6f3c097e4812092e3f815764414fc1abe3

SHA256
320dec0c65acf58818c4d9356b8462e8c151a73c2a5cfd24783329e2a2a87c7a

SHA512
967efb530e2f584a0aad9153b6189175eea95734538bc56d898343b221cd8c3383576ba711235d6b0e84974540f59dba99ef92c0843aee355892fdec9138a25d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
c4034ec3f803b2a8a4e8b137c92762c4

SHA1
b1a9597d064a7eb4edaa271ef87bfdbdc2117452

SHA256
a4b02fde8de86ee5cf4f4155b8f6034906cc0512bc03cf53baac83c0b70a702f

SHA512
db29327df855ba72f1a44509973a91b1f831ba6c6aa630a8528722bf17d59795eb8a44e41750f2e2fad19a3fd434da70c612cb7d6b4c6be5959f8e3e1331ed51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
581240e3b8e3c4698683caf67df6ecfb

SHA1
d6f8a717041e2c21ca8864991a4554cb8169d282

SHA256
d8f6eb940afef91ede29ccbc3fa07bcc76ea1d01c4a64f409d7e8c359871c0f5

SHA512
df7ed90dd3d2db0b8a43a29cc53d508c1e65a659c517b248ddbb954417ac931484c78d225f5a06d5a36b6e9172aa1c6092113b984c4db401f035a2f0a8ebe4cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
c39879949d65ad84af710c4f8ba50677

SHA1
734e494104813c3c644d130bbc7b3f3b2a44f60d

SHA256
c5ff50bb2337f339f3f42800b16b8a0bfcdadb8890e4482cc35f59502edcb93b

SHA512
6cb41de49662b05355e894417078ba3d582a8f1a20fe65cb6f99b5c21891891f7190fb4669e19a4cebc0572ff58493ab038c15d4ca76fcfcd9a154a6b4152708

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
00701dc2423e2947b604343b8253f387

SHA1
c97c72f122835c904167a4d681210b28df286b41

SHA256
28d8df2ccb582b8c5f3c06a9d2be7f5475412c02c8a2d3dc7b24a5ee755eac75

SHA512
0a51bd9fa54315fe9bd36a47b3d73f1b01243ad94443d189b6c2a8a1f86c357413fb566fb364938d720cd8d62c58292a0c757d917db325e826cb1d695a12e114

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9ca3bb25988489491cc733e81aa1405a

SHA1
1ad1d0d4a4ae38882c638319f5d9b9b72dc531e4

SHA256
e51ef6ab6d939a9317b4c0811bde284481349b164467b4efa6603c641b7e4209

SHA512
99c509dd1b8f42456990164d7ae57d1bca1724805129064641a9dfc0eb1beffbb89887de9875fa28f3b82934bebae92b40b1ea723d3d28f0be7518db6bac87d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0d29d841e9409b510ddb00ac240b649e

SHA1
4f3b3c271361e876893ffbecbd353ead6d44b474

SHA256
e92870a8be90d5fd35532bb14ac22e224711efd0e36e95dcda1ea66155281c99

SHA512
57cf2988be7cce1c156257a77b7c7265a27e7a65c45e043a1dde28fa2c834978b30890faf95c5f6f7546a634d361afdeb62ce4c2f0d9ae307b3a85b56da40b0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d1c71f064c1718e1e42c2542de5d7fa3

SHA1
01c9c708056e81ccd9c45246e447c66a9edb6d4d

SHA256
ae878cc99d294470d34da9b2caa307d396c30e067b388c54a5ddea4b33c16c18

SHA512
029fafd2c9edfbb5899e507659f749eb97b878a85f26352ec2891aef5e25bfd4113408135c7bbabf835cabc32bd5b7bf3618771efef5ad6e5db5858d505f130d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
861dba99263db963c79d9e4268dfaad8

SHA1
1edea90d313e9479f8e16ac1f314091070ca0c80

SHA256
3d790c150a40278c4bf09d0d3504e3084d18ccefd8b98e1443d1f106e4ee9220

SHA512
667717abbe32a38a8ae9ea56720169b6e21aa1fa03bd0b98ce15834610fc6f03dbc9fb5406fac435afe1f92e4345dc526bc5c3f51317d295e8282d14c677f2eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
330b89dc1b18f1b3a0933668741d64d8

SHA1
82995d2fd31e8f70115430c3cbfd556cc26ca6c5

SHA256
d802a319b6f767c09f7ae7219aa6af5f38740322bff88f2d87a8085aa507ec13

SHA512
cfcfcfd4c8c184218078d48b19333a63d1d98922c77a37430b7d0553bc8ae60c9f35e7d8305241c2585389916a8be4453f77e3f4b37c104c224acfe165bac46b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1f873e34d73c215f2df454fa1c085e35

SHA1
500e63cf4838e1eed3f201f2c46c921cbf2befde

SHA256
9395dc268a73182281989a1d40d72f2c13a5ab152fee5e74497b630637ffdd5d

SHA512
89c1087b1e2fe7c50e0d346d04bc8000b250096e57452cd304b10c63f27650b276dae7b7d12b3f4e54b203bd7837d336f11d4bf291ab15e35be7e7e0d00e3641

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1920048430dff328fcb9650ad563b901

SHA1
27faef87252a85c471474bd65c291964f55e97d1

SHA256
d6f4b6223e72a50702d7bb5309531e82b8bec2b6bfe1e0f4ef005dd42440d720

SHA512
7ef1c78becbff2bd1aadc1aad760363c3d932f46c151b242f6cd1d323cf4d42c6b6fd3c17fce34dc651b5f0452fc19bc9e14d57808a115a13b948ad5fdca1257

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
40b8d025b4696ea867379151e805c504

SHA1
ae9517110e6a4010f6eeb6168cbeba245c619eea

SHA256
a36218f1b679392c9732cedbef3823b6a176a98917c4f805e6d04840c7393ead

SHA512
d60ccd1f0c5e3598dca11e84c56f6c683478e1baefb51c1c7d5b8d553145962964a998e7c6e216e6efa6764dbba52fcf704cb5cfd4d408bef63ca447ec1d5ed3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ce17450f0b2822b987f0617e419410ad

SHA1
a9528ac1deeb162ad33c4ace741f63286d63d8e1

SHA256
e2b38bbccc6ba5e4e628cb59e02d5836e5b2eb242efd1748a109e4671cf353a5

SHA512
d0314bda5039de099516e9c1a3b58be56ca76d0fa0c0bf947c4fc38778ae5960c84953836211de78a146c87feb4e2a8ff534e3f955cc9bcf8703a5d15054b7a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7cc2a68d046891471380f94595a25417

SHA1
97608d1d69f1194ebfaa26b0adde408df4eee399

SHA256
0e75a013848ffc64c5a0afc2b09016672db56db68cf0df5143e419f6e3654617

SHA512
a970c18fe428ebd73553d2c030cedf43c3b33852b94714ed7b47d2387e5e2a7c3f9e042448cb27994425fa769e8f1c1a250316cb06e24ff39d54eb6a2aadb35f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
4bc60f8b3d71433a63df15d878fa125f

SHA1
b7a41c3fcf7c57845d85d884592aebd1ebff7844

SHA256
9b4e3a97bfb232cb561a4872e866d32f0db4c9ffffe296550fd92926dc0beb3a

SHA512
e24b49c90a53e6b01ad04155cb72eff997fa741790567f4af26b24bf537bdb68ab764713c392e8059e5f33d0e28e44318113ca439f94b8d6e3d4cad2ebdc0a2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
2f981a5b47d3e1aee91223999f172bba

SHA1
1af9394c2a373d74c554c20aba289faf29a03fd2

SHA256
94035e823071f1cd236ffe03c6b4dd436ba2de182970cab03100d943c78b3eb5

SHA512
83fe05f34e03d75267735dc6dd1ed0c77a2e3b7e83660b3c5705dc43831ae9a8e47938c473d656d650cb2d51de054d42b52195d8db4b47add6bebd8342e01f15

Download Submit
C:\Users\Admin\Downloads\CactusClient.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/4560-239-0x0000000062E80000-0x0000000062EA6000-memory.dmp

Filesize
152KB

Download
memory/4560-238-0x00007FFA93300000-0x00007FFA93464000-memory.dmp

Filesize
1.4MB

Download
memory/4560-242-0x0000000064940000-0x0000000064955000-memory.dmp

Filesize
84KB

Download
memory/4560-231-0x00007FFA93930000-0x00007FFA93CF3000-memory.dmp

Filesize
3.8MB

Download
memory/4560-233-0x00007FFA93720000-0x00007FFA93924000-memory.dmp

Filesize
2.0MB

Download
memory/4560-237-0x00007FFA93470000-0x00007FFA934FA000-memory.dmp

Filesize
552KB

Download
memory/4560-235-0x00007FFAA9110000-0x00007FFAA9125000-memory.dmp

Filesize
84KB

Download
memory/4560-245-0x00007FFA93D80000-0x00007FFA93F79000-memory.dmp

Filesize
2.0MB

Download
memory/4560-241-0x00007FFA92DF0000-0x00007FFA92E82000-memory.dmp

Filesize
584KB

Download
memory/4560-269-0x00007FFA93D80000-0x00007FFA93F79000-memory.dmp

Filesize
2.0MB

Download
memory/4560-240-0x00007FFAA85E0000-0x00007FFAA85F2000-memory.dmp

Filesize
72KB

Download
memory/4560-293-0x00007FFA93D80000-0x00007FFA93F79000-memory.dmp

Filesize
2.0MB

Download
memory/4560-236-0x00007FFA93D00000-0x00007FFA93D7B000-memory.dmp

Filesize
492KB

Download
memory/4560-234-0x00007FFA9D910000-0x00007FFA9D938000-memory.dmp

Filesize
160KB

Download
memory/4560-232-0x00007FFA93670000-0x00007FFA93717000-memory.dmp

Filesize
668KB

Download
memory/4560-230-0x00007FFA93D80000-0x00007FFA93F79000-memory.dmp

Filesize
2.0MB

Download
memory/4560-228-0x00007FFA93F80000-0x00007FFA9402E000-memory.dmp

Filesize
696KB

Download
memory/4560-229-0x00007FFA97D70000-0x00007FFA97DBD000-memory.dmp

Filesize
308KB

Download