1edc8771e2a1a70023fc9ddeb5a6bc950380224b75e8306eb70da8eb80cb5b71

Resubmissions

28/09/2024, 06:57

240928-hq9dbasekr 3

28/09/2024, 06:54

28/09/2024, 06:52

28/09/2024, 06:48

28/09/2024, 06:43

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
28/09/2024, 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LoveYou.exe
Size

22KB
MD5

31420227141ade98a5a5228bf8e6a97d
SHA1

19329845635ebbc5c4026e111650d3ef42ab05ac
SHA256

1edc8771e2a1a70023fc9ddeb5a6bc950380224b75e8306eb70da8eb80cb5b71
SHA512

cbb18a6667b377eb68395cfd8df52b7d93c4554c3b5ab32c70e73b86e3dedb7949122fe8eea9530cd53944b45a1b699380bf1e9e5254af04d8409c594a52c0e7
SSDEEP

384:o4LBivz/4RHCxN3IBUDzfGWCw2cKgDwg7dEsL9s+cLUoHl:o4LBu74Ro9ImnfGWJ2cKgsgZDW+cLUe

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoveYou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niko Tools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133719797096686752"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Client-upd.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1924	MiniSearchHost.exe
232	Niko Tools.exe
3868	javaw.exe
3868	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 4808	2728	chrome.exe	81
PID 2728 wrote to memory of 4808	2728	chrome.exe	81
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 472	2728	chrome.exe	82
PID 2728 wrote to memory of 4336	2728	chrome.exe	83
PID 2728 wrote to memory of 4336	2728	chrome.exe	83
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84
PID 2728 wrote to memory of 1180	2728	chrome.exe	84

C:\Users\Admin\AppData\Local\Temp\LoveYou.exe
"C:\Users\Admin\AppData\Local\Temp\LoveYou.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffcb649cc40,0x7ffcb649cc4c,0x7ffcb649cc58
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2148 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3504,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4564,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4696 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5028,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4840,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=224,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3456,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3772 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3432,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3216 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5292,i,12944768821441704263,8365213694920770508,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3796

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4568

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1476

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Client-upd\README.txt
1⤵
PID:3896

C:\Users\Admin\Downloads\Client-upd\Niko Tools\Niko Tools\Niko Tools.exe
"C:\Users\Admin\Downloads\Client-upd\Niko Tools\Niko Tools\Niko Tools.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:232
- C:\Users\Admin\Downloads\Client-upd\Niko Tools\Niko Tools\jre\bin\javaw.exe
  "C:\Users\Admin\Downloads\Client-upd\Niko Tools\Niko Tools\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\Downloads\Client-upd\Niko Tools\Niko Tools\Niko Tools.exe" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f7a0ef1aafb3afdeb9d3cd387a921977

SHA1
a1b719e3664058d8f1441deec5967b8f681c61c3

SHA256
5096114fbdf8bac05c049f19668b91037a4650112e5046f85f936e787c8cb14d

SHA512
721eccee1c9d04487b79aa532c44a124f7e18ca16810efd3e3984305e72c2ccfd1cdf59f7192a47614c264747e641c4b51c222a6377af550b24e860bdb4492e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
ab03fcfda267484b7c898bdcbe3393c3

SHA1
1e65d6da35c4f30e047b72349946ddb36b841d5c

SHA256
4e14437a466dc5403d7f461e0ccb4c92d74f38d6385346dc096e26f6d4d1b2af

SHA512
e7e933f79e5665722d5fa54f416dce31e304fd9038f68a04ca5e30050d0c419a6d2748a923f2807a43fe8a817df38e03730011a3135eb206c81854c2d70ba320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
5d29ec50d3130d5fcfcd2d36f4c5e328

SHA1
5e6b618ec8f4706b3e5b9f2fba4d5db12b785883

SHA256
ca13d827d3dcecbf10f8bf1af1dccca1c6190c07e24aa663c5e3b0a34585d9d0

SHA512
6800e145ba41695f3936d93288e66cab686bf901df0556938c412ff3ba0300f4265b9873b4d0bc840c1003a24feb258d50dc2b3375d80b622baea50f16be8292

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
703692e4bac989119f087344877f7d45

SHA1
c84bc96a663764c023f5d1c9f647e1a2d1dbef8d

SHA256
1b2330633af0778a06638b23c0978e5f43b9a974eb36dc6cbb5c8f9c13d272a5

SHA512
fbf6734b30427e78009bade6bf20c9d87697c73f20c779771a1a58f3069c33f43d1e6013072c3f6ef71ff9900ae36659e9b032c5744bdca58561568902e03ba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
860B

MD5
c4f89359c96815cd039093a7de82887a

SHA1
5ab0bff6543bfe1b7cfb15cab0e3c75052d67989

SHA256
28e0963c25f36baa4b318f09a9a12ff650da531213b8cff271571b885674e5e3

SHA512
7223e378273c68c4797e20ad7bdde0b6a22d0468ee2f3a02ec841452dd0316d8c755345ce55a0628a9e76a12d84e0ac07b34a96b8cf2ebb7fd148c3dc7675a0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
860B

MD5
2f2d4acfbd879187fe099c20247a1ab8

SHA1
2945860c89d6bd74d99f842e2cca5dcbe8567a49

SHA256
ca03cb1ff9a9711333e08f5ed02e0391f8f2fc117f84c890127948887b8d55c4

SHA512
5f449fdbb2907a79206a2dd2e1130208972f41107618c8f3ec0acb7ebb8d860b7dcf7c124ff0b7cc1f000c0737bce9c30411b33a72e3476f16d979deba2b97e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
860B

MD5
6486aac7c17e1459f00c3383c9874f30

SHA1
3e6556b389158ae2992abbcf8b8e76008dec74bd

SHA256
09aad15309c268acb93f4995cd5a1fd937c1016e682a831d3904c1a55609806c

SHA512
b05f4f97eab9ec9467c62e201d15a8f14e8a713b882956598ac673e9f1b6a64521fab1af7f669063864017ffafc67ac6441f1dd7d429b97bd6c2f6c65508e6cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
860B

MD5
ea2ae88c57b26a913546d636136e3220

SHA1
5ee415a13f35bd65b5734ec83c2f34f2a5f142f7

SHA256
0509f7f4aa91013b36b011f0f2ae8a65416160c38ca0500989c9d0d9d71e6562

SHA512
174291f1ab13cd656743a6bdf934feac5b41cb68269756c59ac163bc58599d82ac97431842f1b95d865c7476c0ac9111e2f4da765b2576f3e1b451f7fadd40fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d2d710d2d47c29a643f6ad68cfa2bf9e

SHA1
7e386ed5e4b37436896bfe61d915bf4f8de943bc

SHA256
cf2a9eccc23240a93faa514f4db1af6f67c94b8b5f2740474f18cf4ec4122cda

SHA512
419cc194e6dd7e356021df86f0d298280d271bbebffd17bf2752901dcf050ccba1c1fe98fb738c074b3b56e23f8b5e33e09b5c72d2494e73d49e661304ca5f7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
860B

MD5
808bf2fc68ea9b451fc843b8be051c9b

SHA1
e53a70307f15e7a151effab9dfd8d4ca5460e2c2

SHA256
48129c24e1d58e2a4ae9a29ab917fcfe91745f0d81e852a0b55e28f2f683cdf7

SHA512
efc6ee44d59883f9aa18002b99f96007b0de3bffade761536b009b72c6a754d7734b5b85f07bb44c3ecbd77b0b8dedb0b04d974bb1efa99882adc1425133f0b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
860B

MD5
7323d2e6f8897126010eb45f9f482fde

SHA1
477f61c1d6af487ebdf0732c4be82339abeef158

SHA256
a4fcd287ed855d7c5f1b9d9f2d775974f80eb0bb4b8b2822d39686bbb43eb025

SHA512
5598287f36b297dd16fcbc0b4cf0fac1e165c9167d1d43b75100cb8a48fc6c2b18bcc8f273fffb2b00426ae4b18847301279b7d31307027f7501b4609b74bbcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
860B

MD5
cce76649388e26c145b4367c1cc71435

SHA1
1a0c84285a765b0913bc3978a1cd2c3040472a6b

SHA256
b8616ed276d30561a2ee66dbad65d8eb07fa1456a003f7542dc5815562ce8d5f

SHA512
a28a05d433d4d29846e1a937592b55724a74f70445590aeffe647950b09ba38fa317fbca8e6f23791dbba6ffc3a7176da6eb7d5c02130be82b6d0794dff2ad3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0129039fa5aa8f84f60a1e0d48ab20d2

SHA1
0cb581ffbbbd55b4d694ce966ad3d3efbf9a9841

SHA256
dd499a1fdf9f07c5227429811a7388f82a597213d3db02d7216e9d4bf19e234d

SHA512
4a32037bfae5290841219f2c7c1d0c3ae499a764f0ada2ec4f11b7b18cdba206bc00603d821282781cf8c9581b86463a9c866cedecbeaeef059f7cf7c77a3b36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3d44a399683543890e8a1ca274c0ba92

SHA1
515f8224d0871c090e8c1e938e78ce99ebfa9616

SHA256
c070f3835767279896e6e1000b306a3fcbc142abd25be10d6a0aa6b70e60e771

SHA512
4d68f91f127dd1dcb33ba179c58b9b952ac05d8229b58922a5a89fc682d2004497e0e6b3812679f11c413b0ddf650e41e5d254955cfdaaaf55a96c22bf9b7b92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e9a2ef2ef2864476ec8397cb3319148c

SHA1
63e5bf37571fa1f7465aedc746f14a09c210a006

SHA256
9b761d6d5d5064e181f0d23b1585eae0849dc21b14a2dbc92d1fe46cb7b972e6

SHA512
936ee7f7555dd80c2d37cabe00e020eb20f3ddce87e1ced8b6dbba26fcf9c95b675f70f9c5c38f08ef1e6e070bcb27ca7cb3795effdc5a9b213a19ebfeeb5768

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
82290118809d9e234d0098e9f2e4e770

SHA1
f9d87228ee77080b34652f8d5db39365f54dd0d0

SHA256
b47a131cf43aa0b474d6582f6b0ca11eb13028d29702c5d7934057082228d7f5

SHA512
5068d9181c8e7490e632b6b0b1ac78b4089a3e96fe332e4b4baa6c02552d525ffe272072cd2dd66d61517426445879e9df6287aa1d7237113feca73f5df68466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a97e7d0652fbde43285ef41237bccb52

SHA1
85efe28d32a8a331ded10c79144b817a7a3f0bc8

SHA256
6b53c024fe07b6ab795925c5fca3dacdc61dbf5e6eb83f4f515f488681e9324f

SHA512
24d44073be506b8312c6315f6b2c1c106fcd5f659f7eac3700cc5c992073ebe2dc14735db7a712b379432fdb2f5aff63f8ff5d06fdf5becf17e57dcc61f74107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4244055046177ca6c012dbe868d318ed

SHA1
6356ef2ebab5a7477b69d8b3cb8da825ff8b391c

SHA256
b70f97822c55a27e032dca8cd85265b2b2f4e27792bc2c154ee2e9af77cf0c0f

SHA512
2f49f5fffcbdbf7779161fe5495c5b1210b4a98d264b70b24e7c694d42632fbd2c426d4a2b4920afa9db3f00cf9e2fe9dd818eef83afb06abb3576157a2ccab0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d405093f3487453e771b1765328ba1f3

SHA1
ad14fa0316121b5e246c176aa2efe388c16e4a0d

SHA256
a4a59da8ed80bcaf0bb14adabd9e7518dde930f5b8eb5c066b3c244456ee3796

SHA512
0acdf9cdf21759797ab15c0f2ef802ad6fdb39d4ce722d45dd39a2feffa2694411cf2932f369cff12a734bd79440fed969fa31217c97f3c9e07f9637df2af116

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4d4e9786da4e7794e650195594ca9ad4

SHA1
7cbe8fbcf8e05075f7ea882d0cf4168a1ad1729b

SHA256
2ea1c1b9a18b8c35c0cba849c2aa90b9697fabc01a6847099408fd0d85466c4d

SHA512
b100b0776515f06ee0cc511ce9210f4c6f10d6a27f6bf439f9c7cff67a12077cce8d4d3cd8de27c21bae92a7a834161c4f010c5109ff552c4436fce10c78a783

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
07db03f3eb170a2644896afeba2a70cd

SHA1
614b1592cb4a93e2ec0f31c0533b9db99954d3c2

SHA256
c327fe9fcb8054567b55b46e311c8735e4c964afc8e0450543818b6e8b420af2

SHA512
0b43b89f322ba488dcdc728143ccf673a2cf4e88d5c4cf35edc42f7ede0c8a8e41c9ecc26eeee57bf94e8a75188576b263f274752d1572291a329b081bb742af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8bc02c661955bd473819688dc242de83

SHA1
f5de764e0cc96c561ccf0cb1107373ecf997fc87

SHA256
b121ed814fa26fa9c749d00f08130773f140f2c156ce872ac70b3455b6f90543

SHA512
637bf03d91cb216d68b5e45e51c8673cb6b417a62403192c9cb5d161e5093410f5889e6264895fbde83876686fc776c439dd88b6009a8663e0b13a5d27e00a88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
cdf3faf06b75df66bef7dbaf4811bdac

SHA1
9452ce6be88492b4af04fa456a307c7ade63aaec

SHA256
29e848bfd790ae2fb8ab5fae93a5cfb214ba9ab8ebd7ba93b533e23c7829d84f

SHA512
86d6ba900946013c5e322ab624e78d9706523dbdf4382eeb481cecea08a8a996fb79df22aa088a3c303fb40e4d719c26301ca3d6dc45d311edd9a3a2a93ad6fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
130275790eabc057af38f9c2d96c622b

SHA1
215bc667df28aa6234810acecf58a315324925b1

SHA256
8947bfb371012789bb16286d2935ce459d6882b196d7dabc238577580e5361c8

SHA512
3e8a02470035f446e27fea080411fd98e58d8f55a9ac3dad632e7ec54c54f456247b6517bde9f74a499f83faed2dd0fd24342b767db35e84323917460446e063

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
a7f391566ceb7d310b04c1376aa66a07

SHA1
eda88e9134d3de209152481c9e8aa02054d4c2eb

SHA256
8ecb81fa22792fa6bb09abc86b9b5afb50773e2c5537def45dd8ba297f6c714e

SHA512
163bad20eaa9108286367367e6a54a9ac612026954ee2466b8f88f732a992695fe160d3fb5f092976ef15c1c1b71400e577a9a4833dfa616d7c9ee6a8237033c

Download Submit
C:\Users\Admin\Downloads\Client-upd (1).zip.crdownload

Filesize
300KB

MD5
585fd1f4b2f148a2c75fde74687389eb

SHA1
c2b8c64144c988964c7229ae5384aafe73cba4b6

SHA256
b934b70f9dc1858b6f1e151551a60666633c8f8b954f6d31274bf694db53f921

SHA512
f6052fd1405a13c3c633481ee1cbe32a9f79807b56715e70b2a51b6d89cabaab7e4817fada249f835a64275ccb0fd44e13f44efed65dac5510600f903246f03a

Download Submit
C:\Users\Admin\Downloads\Client-upd.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/232-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3868-360-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3868-394-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3868-397-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3868-400-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3868-419-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3868-424-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download