Matches YARA, Sigma, IDS malware rules. Why mess with browser settings in the registry?

[Logic-Elliven]

When you are signed/logged in to Virus Total: (google's 'check against ~70 AVs and anti hack software site) VT says:

• Matches rule INDICATOR_EXE_Packed_Fody by ditekSHen from ruleset indicator_packed at https://github.com/ditekshen/detection
• Detects executables manipulated with Fody
• Matches rule INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL by ditekSHen from ruleset indicator_suspicious at https://github.com/ditekshen/detection
• Detects executables containing URLs to raw contents of a Github gist
• Matches rule User with Privileges Logon by frack113 at Sigma Integrated Rule Set (GitHub)
• Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.
• Matches rule SURICATA STREAM excessive retransmissions at Suricata
• Generic Protocol Command Decode

• https://www.virustotal.com/gui/file/4d5bc15a1d8d1eb03df5c710ff23bd5f214a4d1f089c36d16aff54be241f2192

I'm no dev and I know YARA etc guys can be paranoid, so maybe the above is ok and part of what's reqd to make ComnpactGUI work, but why:

• Registry Keys Set
• HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon\state
• HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon\version
• HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\browser.show_home_button
• HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\default_search_provider_data.template_url_data
• HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings
• HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\ahfgeienlihckogmohjhadlkjgocpleb
• HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\gdaefkejpgkiemlaofpalmlakkmbjdnl
• HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\gfdkimpbcpahaombhbimeihdjnejgicl
• HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\kmendfapggjehodndflmmgagdbamhnfd
• HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\mhjfbmdgcfjbbpaeojofohoefgiehjai
• HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\neajdppkdcdipfabeoofebfddakdcjhd
• HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\nkeimhogjdpnpccoofpliimaahmaaome
• HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\nmmhkkegccagdldgiimedpiccmgmieda
• HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm

etc-etc..? I see NO reason to go messing with browser settings and installing extensions!?? All these extensions are malicious according to https://www.joesandbox.com/analysis/849478/0/iochtml https://www.virustotal.com/gui/file/4d5bc15a1d8d1eb03df5c710ff23bd5f214a4d1f089c36d16aff54be241f2192/behavior

Also; uploading CompactGUI.exe to VirusToatal gives the results for CompactGUI.dll .dll not .exe ...?

So whatTF's going on here!???

[Masamune3210]

I dont know what absolute pile of crazy is going on in that detection, but its false or at least being overly accusatory. I use CompactGUI all the time, and not once has it done anything involving Chrome or its extensions/settings. All it does is call into Windows's compression mechanics, it has no reason to know nor even to care about what chrome or any other browser is doing.

[Iridium-IO]

Yeah it literally doesn't touch those registry entries at all, not sure where that's coming from. In fact if you look at the full list of registry entries it is supposedly changing on VT, it include internet explorer, direct driver entries (including specifically Intel Xeon processors??). So yeah no idea where those are coming from, but at a guess maybe that's a .NET 6 thing?

Here's the source section so you can actually see what registry changes are being made, they're just enabling/disabling the context menu entry in explorer:

https://github.com/IridiumIO/CompactGUI/blob/653e7816dea1ae411b54d859e6e1268dbee1ef44/CompactGUI/Components/Settings/Settings_main.xaml.vb#L22-L51