hxxps://cdn[.]discordapp[.]com/attachments/1253355272668319746/1283444163664154726/resource_hacker_setup[.]exe?ex=66e30405&is=66e1b285&hm=ba785873f5f2849a947c27dba4aea532ae614cad56a320c07c77acd7341395b5&

Resubmissions

11/09/2024, 15:21

240911-srsgasyapf 8

11/09/2024, 15:09

240911-sjx2taxcnp 8

Analysis

max time kernel
168s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11/09/2024, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1253355272668319746/1283444163664154726/resource_hacker_setup.exe?ex=66e30405&is=66e1b285&hm=ba785873f5f2849a947c27dba4aea532ae614cad56a320c07c77acd7341395b5&

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2788	resource_hacker_setup.exe
3300	resource_hacker_setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\unins000.dat	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-F6E22.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-6JP4M.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-R5U21.tmp	resource_hacker_setup.tmp
File opened for modification	C:\Program Files (x86)\Resource Hacker\samples\sample2.dll	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\is-3KUGF.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-K9VCS.tmp	resource_hacker_setup.tmp
File opened for modification	C:\Program Files (x86)\Resource Hacker\unins000.dat	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\is-CNCKA.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\is-53HOG.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-MCCPJ.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-F3KV8.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-4AO8C.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-SDJFH.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-0MEGC.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-3BPOS.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\is-76OTV.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-1EP8H.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-JM97U.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-ELOGK.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-IIF8L.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-I4IFB.tmp	resource_hacker_setup.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\resource_hacker_setup.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	resource_hacker_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	resource_hacker_setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133705410354854311"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	resource_hacker_setup.tmp

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\resource_hacker_setup.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
3300	resource_hacker_setup.tmp
3300	resource_hacker_setup.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
3300	resource_hacker_setup.tmp

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 1424	4296	chrome.exe	81
PID 4296 wrote to memory of 1424	4296	chrome.exe	81
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 484	4296	chrome.exe	82
PID 4296 wrote to memory of 1500	4296	chrome.exe	83
PID 4296 wrote to memory of 1500	4296	chrome.exe	83
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84
PID 4296 wrote to memory of 3264	4296	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1253355272668319746/1283444163664154726/resource_hacker_setup.exe?ex=66e30405&is=66e1b285&hm=ba785873f5f2849a947c27dba4aea532ae614cad56a320c07c77acd7341395b5&
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa09dcc40,0x7fffa09dcc4c,0x7fffa09dcc58
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2060,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2416 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4704,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4972,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4960,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5312,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5236,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2380
- C:\Users\Admin\Downloads\resource_hacker_setup.exe
  "C:\Users\Admin\Downloads\resource_hacker_setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\is-J47CD.tmp\resource_hacker_setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-J47CD.tmp\resource_hacker_setup.tmp" /SL5="$A02E6,3411549,870400,C:\Users\Admin\Downloads\resource_hacker_setup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:3300
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Resource Hacker\ReadMe.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:2724

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Resource Hacker\ReadMe.txt

Filesize
1KB

MD5
eee9717c2fd4f926c23b6fbbd7174be5

SHA1
1596921b80753e25dacff3499a8ecd3e81e6d7c9

SHA256
afe15bbaef0dd02cdefdd6b366084a838ea40e29c21173d68d28cb629cf69203

SHA512
778f84fb27cba9b2283b468859e740418a2ed3aef5f087a7a554b91224f88ebe244d36ead138b8c4d8ebf00f98661dd3a60fa3681f3717e84ad9f73169942e0a

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3fdaa6c35a5ffe44a591f29c91541e9a

SHA1
b31abfdb49924a0305258da26cb2e44ebfc9c743

SHA256
2d70ac64a17eb37816beae4c3e01c743f5e7b47717bc1559493257c07480d6cd

SHA512
2bbd22b2f495d456fcbfe073c164c8fa70d0e889c175156be4619b73e0f3f280d3163fc8ade9dc7ac9bc6fb300c89a8a96539987036a239121c6ecb252077813

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e563f375538758c26fcf936626370050

SHA1
6f2d4387518c8e065626805e01fd469fd312557b

SHA256
0ba5c7228d028f1451dffa716f3f597e6b0159a53b010b58c4681f2cd58ce4b5

SHA512
8886ada300dc4a9ae5e63630aaffafb56c9e38990adc69802f81fcc65b1dda44da43d55b188cd4f1955cad45142597dcff7be6d08a4562bdaa30658e2df7160b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2c42cbc2fa485db0929fcbc66a4a6432

SHA1
f673638f9db7b083f617f24e481c0bacb66f409b

SHA256
8d4167691cd5d88edbe0c37ccb646b2a4b6d7db6c9226766f6c58e7e7ce59c88

SHA512
f6e450c166abe0e96f5ffb1e7b444e6f5f1cca9a9ad62ad3281311cd2928d097ca068771e25c6bd949bc61a921a9ec3b8abf6c80688b8c95e42f9b35e0f88462

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1f2b6e9897aa541dd51e7f1391473ed5

SHA1
2576c310be62a619d1dd3465c1ac19ab5797537c

SHA256
8de7bf63764fc72a3494195ca1667dcb190aea8bfa4e93afad87ef2abfe269ef

SHA512
37cf455fa1857ca9e1ceb6d36a4f5004510ab2d3a2cc640e0663787ab30e2ba0d0b5027c0514ae31cbcf9b8e0feb5ef1d2e5a689e614ec12fe5d3ec0d2b305f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6e8fa3c1cbaacd69e2b6e7ac32ca679d

SHA1
0cd1434c8ab5a45b26819c652e982eab8e497704

SHA256
bbc66e170aaa0ac7e0691fd334b2c098024ed8e623f06b68fa4f7970b8ddbb53

SHA512
2c974c25f2905856d4204a03fc1bce1706dd8d5afa0c772ba6b36346dfecb80edfe7fec0609218ef78fd341d1a1d1635640b1ef9794b5916c561e4780bc817ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b9c3a8eb4adf600aa682e9963821e2bf

SHA1
92676f0471d0db5048f70bfc4cd0ed0d9e85f484

SHA256
cb86fc885eeacea5dbd7bd9fe2d4e59f383cb0b24e4f6a62d0ce6a1fb60e6bab

SHA512
9e9c24b027f435e2b722ad8eb34060c83550406d3516b406d51df7ca40c05a0c4c4cedc7035de846e2e2ef0cb52a4ca864932eff0b7d9ffb2b5c1a7c0f21ba1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a08d7492a221d9bbfbe98a47e355c7c

SHA1
672a810037ae90c6fb48e1a960d8639c362b4f46

SHA256
ad92d2a6b9fa2f4396a6b22de6acbab7256960e0b129d6fc455c8231ee8a54d1

SHA512
2f6b065bfa3b612ed8de5f8ee3668c7b4c2d60178802aad5c82f6d14ab59d12d9bcab637645c93e2a7e5b4baf461635b75f3f69c2da59eb07ea9cca427f787e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17eee1d873e6a9327309d32503cd1f8f

SHA1
0f5f82f1e00477f435768eac2dac41f3f63a5c3b

SHA256
ce9c3dff45c0d837a1950d7c69f5d6bbf64ed289ee6e13597bdd7c6cfc20e3f8

SHA512
60afb15bf2d70feef52233866d638e158c75fe045108c575d64d2e1c19d7223b2acca30ba1408168614389593168be7bbb233a6c22847cfc1266c359c14fd921

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
20cf5837478bc23140e63627d634954b

SHA1
c67663a7aa2996f5a0207a9ea291b371b2ce1338

SHA256
cffd4d6ddf451916b526883caa86bfa238dd16a368ec1e9f6eacb128e8bdbde3

SHA512
4b2ce3b5e85023402f734976402e92e39dcb76c4c704b87dea1a6f0a75dc1b9314f21b72d5650a58ff6d52ea6fd22065c911a0ffb937d1c729d25e8e378f4d7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2d179763e9a653e01a20b2ed0736bcee

SHA1
4374ab1050fdbdca605c38c3d76bcf65c102d6c8

SHA256
460172e2a9b2e6943ada357064f7e4e89bc525b95de1df0e9d0288e0d7577060

SHA512
e1328dc991b8402752c3cba81019c94933d6e250f664c66fc58a4ae5a9e549a861f3eacfd967937877e59e8736463aef907589e1fa3e88764c0ad0fcbd62ddf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
74cf1ef586869aed5a50ea4b7771c2ad

SHA1
1c402f79cbaa12c71ec94b466bc0da1e116a4d52

SHA256
7e990fcf037de2b0749bb98564a7d7d5c6cb1860a161fbb0134846db1859f744

SHA512
ecfadbbb129e6c690082b2a9bd9cdf52ad4a7dcbebda86a806828ddc62b4f79dda8b427db81214fc2dc6f23d8d3c0e89046993e3e702c07d0c5188b9187572a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
9b823c11fa01a1d2f9d7b8e351f9e396

SHA1
ecdc5c1f57ebf5460c3e300399cff21a9be01176

SHA256
2f5e74d59cea1363015c38dff880bd15d729eb1e88f4bd325096807c33f32988

SHA512
5af900d5ebd2f8fae64a6e280ddb8886595fc13e8bacf88e3ae2a8aba9f648d66ee66d716665ada1a91b913d2092fc908b3ab4e2d33f5fb6d34b97bf0b03c916

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J47CD.tmp\resource_hacker_setup.tmp

Filesize
2.5MB

MD5
3baaf568aa5142e9eeed4ec6cdd764b7

SHA1
089ec2257a57c0f2ee913a94e61c1c8272de6290

SHA256
153efbe85cecec3149664254a856440fbb6a3c8f3f287a97f373b3353e816268

SHA512
4a30732ea3c5a2e8529eab69761a25862c87935fc3842b48d515901669725ff070527ccd61dd602dfced94cd504b7ff2861f43ffba1ead6569b8b26544845287

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 17774.crdownload

Filesize
4.0MB

MD5
e846ef7353af351ad4a6e1d49638b500

SHA1
c08392c797fcea5147b3f0d7e07f57eedc323911

SHA256
080e97f7c198aeeac2a172f055c09d8da365b59b58bf6a71bde4486d9992ff66

SHA512
e73bd521a157af4388b7c0d3bff5b34a4a547b8083137a4b48d0c232562d5932c7bb89b6700778246b895d7b9d1ba59050f3a631dfd436f64b5ff9ecf7934ec5

Download Submit
C:\Users\Admin\Downloads\resource_hacker_setup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2788-142-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2788-140-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2788-206-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3300-147-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/3300-205-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download