hxxps://cdn[.]discordapp[.]com/attachments/1253355272668319746/1283444163664154726/resource_hacker_setup[.]exe?ex=66e30405&is=66e1b285&hm=ba785873f5f2849a947c27dba4aea532ae614cad56a320c07c77acd7341395b5&

Resubmissions

11/09/2024, 15:21

240911-srsgasyapf 8

11/09/2024, 15:09

240911-sjx2taxcnp 8

Analysis

max time kernel
111s
max time network
114s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11/09/2024, 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1253355272668319746/1283444163664154726/resource_hacker_setup.exe?ex=66e30405&is=66e1b285&hm=ba785873f5f2849a947c27dba4aea532ae614cad56a320c07c77acd7341395b5&

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3736	resource_hacker_setup.exe
2316	resource_hacker_setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Resource Hacker\samples\is-N8OOJ.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\is-CTT8T.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\is-O3BL7.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\is-K2I2E.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-7H67B.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-3JCJE.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-GQUJ4.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-EGSO5.tmp	resource_hacker_setup.tmp
File opened for modification	C:\Program Files (x86)\Resource Hacker\unins000.dat	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-L05U1.tmp	resource_hacker_setup.tmp
File opened for modification	C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe	resource_hacker_setup.tmp
File opened for modification	C:\Program Files (x86)\Resource Hacker\samples\sample2.dll	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\unins000.dat	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\is-SMKU2.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-02G6M.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-0QR1S.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-DARUH.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-LNLHL.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-T27RU.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-US1GJ.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-CKTSO.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\help\is-CLQPE.tmp	resource_hacker_setup.tmp
File created	C:\Program Files (x86)\Resource Hacker\samples\is-25NFN.tmp	resource_hacker_setup.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\resource_hacker_setup.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	resource_hacker_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	resource_hacker_setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133705418234105037"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	resource_hacker_setup.tmp

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\resource_hacker_setup.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2616	chrome.exe
2616	chrome.exe
2316	resource_hacker_setup.tmp
2316	resource_hacker_setup.tmp
2616	chrome.exe
2616	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2616	chrome.exe
2616	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe
Token: SeShutdownPrivilege	2616	chrome.exe
Token: SeCreatePagefilePrivilege	2616	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2316	resource_hacker_setup.tmp

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe
2616	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 3304	2616	chrome.exe	80
PID 2616 wrote to memory of 3304	2616	chrome.exe	80
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 844	2616	chrome.exe	82
PID 2616 wrote to memory of 1928	2616	chrome.exe	83
PID 2616 wrote to memory of 1928	2616	chrome.exe	83
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84
PID 2616 wrote to memory of 4828	2616	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1253355272668319746/1283444163664154726/resource_hacker_setup.exe?ex=66e30405&is=66e1b285&hm=ba785873f5f2849a947c27dba4aea532ae614cad56a320c07c77acd7341395b5&
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0d9fcc40,0x7ffd0d9fcc4c,0x7ffd0d9fcc58
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1380,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2352 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4688,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4804,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5184,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4320,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5280,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5216,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2088
- C:\Users\Admin\Downloads\resource_hacker_setup.exe
  "C:\Users\Admin\Downloads\resource_hacker_setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\is-ICP7O.tmp\resource_hacker_setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-ICP7O.tmp\resource_hacker_setup.tmp" /SL5="$A0262,3411549,870400,C:\Users\Admin\Downloads\resource_hacker_setup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2316
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Resource Hacker\ReadMe.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:724

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Resource Hacker\ReadMe.txt

Filesize
1KB

MD5
eee9717c2fd4f926c23b6fbbd7174be5

SHA1
1596921b80753e25dacff3499a8ecd3e81e6d7c9

SHA256
afe15bbaef0dd02cdefdd6b366084a838ea40e29c21173d68d28cb629cf69203

SHA512
778f84fb27cba9b2283b468859e740418a2ed3aef5f087a7a554b91224f88ebe244d36ead138b8c4d8ebf00f98661dd3a60fa3681f3717e84ad9f73169942e0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7bac412f6b1b9493d4a7b20f389cabb3

SHA1
438041c7c4263dc4897119bb5bd7f60e7cb25f33

SHA256
2408cee6f03681fca451ca330126388cabe1ca93333561ae3993ad1efd60d817

SHA512
64bca4f835eebf9fa6ba6a65e0717d90e15144a0e02dc89ffbb25caa3cd46a98b3a0543b4b94e82546d4bb17571bb285a93d1ea55a765bd643a4ee4c0ca5e323

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7e9fe9d8884623a4d0c26b62c099d35f

SHA1
d0581ea56ad070ed067d0d2e0e0ad8aeb53d4311

SHA256
90c74823d6d1bda58675bd5fc32871e46e91b8ef08b4ff71ca335c8b013aa240

SHA512
9127c92806460c33a1ca5755d7318f49fa42be6edac43d04af2d19b15b40d29c04e8056f66f782ddb7ce7dbd7869c36389d6044b30c3183725362cb0edb3e742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fb0a7025e342126465931a139fb58cb9

SHA1
9d578897379092d8a32ce13ab251c5c3f8fd557b

SHA256
ae2071f1ddf9f47241ab80c986531819a073bef8e1fc72be9cd39e833fc5654b

SHA512
1b745b3dd83e5bd7e8a8081f2ee35fcbaaf48491838bcdcac13a4eeeec2d4b9f68d65657e34499b7455894ce7e618feca8806c62acf6c740b278df02df0b63fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
16800afe649d28ac746a3a8f9390fa9b

SHA1
647a37ef5ae48f7131339dc9f58d2b2a1187e6dc

SHA256
2bb902a384c0f1093e954c39043241bf859a79cb9a43d9f3275640b712176f7c

SHA512
dd3b793f604959a436a40088faf704e2efbe79fd57c72aa1ae3211f993e48e9e9a6a9cc221593a2d9484fefc32c17d62e386c4bd7a063098d6ff667c6be88912

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c7908480d87ebd32ca0acc246b2ac804

SHA1
fa103aef7ecb2d613c2f09603788f58d3dd23a5d

SHA256
eb610d8c86253e7f0c044cc96142c1980e55e6bb3ce04464b5445410fac1205c

SHA512
0c5f3d25e213c5f3c5b96736c2b824b9714a65fa2b96aaebf2c9ac0549acfc622ea72ee54a741494c957b19fe6d0e085e8bf6b26701ba46ec1668b97c64d7b48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
95639a0a38c918aaeb05274c55b55d85

SHA1
40c790838b4389cd6d6ed71060329424f090633e

SHA256
533be08690d6d6677a13428a4555e2f879403e5e7fe13d28249a2818cc985392

SHA512
c31ef91f2a5e4e764b98ecdfa327449f6784675d80bc0cc4db8e1972eabd9167885f776b4ec0bd7ac788c33fca8bf56d435b38a17e04c7ea762ebb01ad5e88fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0ac181093a27095e34c6045844fa4771

SHA1
71bc820c3028ae076513402f275edd27f6759e37

SHA256
0857f962f7d8615ea56ebd843b6903ddb2808abab56067bbbaac989cf4e83e60

SHA512
233e280db5bc12c68c27329b04a2d2951170b3f865ac3058c037fe0b92ff012c9e802136f4faf6e6226d9c44a844083bf9e86909b7e5f4ddfe55576d7b7f48c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
31cb28272bf99f2359491253aafe6108

SHA1
21c48085761fbf69e0c36b595d22a19774b8f112

SHA256
92d83e9422a57e2791aab75e366812bc7e95cac197c7e8a79571796b30886a34

SHA512
3d12d6e5d389330fa3674908b73d2a68e23d41a07631fd1aefb64d518458eba3c08199697fb91f2e55a3f2cecce1dce5ff669d8d0e706709b16f4801ff5f391d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d43a7ee7b7012c8fddee817fc5f0b191

SHA1
dc4a1531939b9d7ac731061dc3d7cff16ab252b2

SHA256
55eef005cb08e7759ba11459eb67f8b4aac0156f8904ac0b0d5cb3a9e333dcad

SHA512
4edfddf32909bf0f89d62276112d31b5f5b75010705ba73f8ee17bbaf52576a8ffada34b00eddd6671af00572d6df298bb24211f329d66bff8ce85b0560deb90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
1c2fed9358589ab312d0a09c7f2c217d

SHA1
e706cc05348bb4054f7f4b6d1601bb9b074166f2

SHA256
3bd854a2d57a69015d38794905978913a978646fbabd571510876b62172e533b

SHA512
0d0bb5055b7512bfe2fb7b82db852d0b20afe2a0fc9d52da2d974dff00c81bf5a92e861b65b8db1bb1fb6e17d09f004766aedc4b7ef1e24b8c43f241e5cc0363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
f2c74c69676f4ecefbfe945fc373c266

SHA1
3086ca5961c784acc256dc0ed6aae3b912b5a2bb

SHA256
a232f4afcb5f723f08c09f133b4d79eb423719ebe07b929ea54caa80970ea0b1

SHA512
a9ba1c438a95cd9be15b0ac14ab98eec042c6c5eebb5d085ef01890f28d2d0cd093d6c0ee4801a7d9e2d781376e4f2ce083d8814d6b811d00a9522b967e5ae1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
29b9b2aa4362d2ed40724b0ef780d355

SHA1
9137724d9cdf2ebf481a47f02e0e03d1b759f1a9

SHA256
226ec2b857eec7d706de814fea408a1c6e5ca24d8c3dc227d7c318059160d8a0

SHA512
7c2e9e530663404e7fb4e30dbe024a784bdda4e16840e428ed80084d579ce8eaa21bd6633785a9b47ef4e3a4e81add67b1074d744c27c2ae77eae177a7733fb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
efb28ae84c4d7241e4d8e6b07f6cade6

SHA1
a182208bab9d005353c63e0785ed6c67ea7051ce

SHA256
abfdba3c99074aabe5d052dabb0bb277ec7d9e5d32ec2b64aa77237c415d7cfd

SHA512
5544f8286c1d4ef87f46849f3057e4a8f524664bb7a9e6a2cdde10fee6e25fedc0b3243df8dccbcbdb4a57b31c618526e4ab19fd7f3101bd60c430963663178a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
d07d177ce7c93185cc561bb4bc7ce208

SHA1
46a35ee7f72a74a9c9d4a9e4be5f93a6001b4d5d

SHA256
22c1784227c96788c8367795c6d2cfd1debcb232b1702779823dc0f2b97dc313

SHA512
9f645bff100425f380c4a4078426c60a587f7594a32fe4ef38f6a580929de5fba861a3ba1ad35121e8528d4af9c1779ac63d6b44cd14781973c8ad4b0407f226

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ICP7O.tmp\resource_hacker_setup.tmp

Filesize
2.5MB

MD5
3baaf568aa5142e9eeed4ec6cdd764b7

SHA1
089ec2257a57c0f2ee913a94e61c1c8272de6290

SHA256
153efbe85cecec3149664254a856440fbb6a3c8f3f287a97f373b3353e816268

SHA512
4a30732ea3c5a2e8529eab69761a25862c87935fc3842b48d515901669725ff070527ccd61dd602dfced94cd504b7ff2861f43ffba1ead6569b8b26544845287

Download Submit
C:\Users\Admin\Downloads\resource_hacker_setup.exe

Filesize
4.0MB

MD5
e846ef7353af351ad4a6e1d49638b500

SHA1
c08392c797fcea5147b3f0d7e07f57eedc323911

SHA256
080e97f7c198aeeac2a172f055c09d8da365b59b58bf6a71bde4486d9992ff66

SHA512
e73bd521a157af4388b7c0d3bff5b34a4a547b8083137a4b48d0c232562d5932c7bb89b6700778246b895d7b9d1ba59050f3a631dfd436f64b5ff9ecf7934ec5

Download Submit
C:\Users\Admin\Downloads\resource_hacker_setup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2316-148-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/2316-98-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/3736-149-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3736-93-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3736-91-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download