eae46c15fad3b0623ed1c72949a4ae430f4efe1f22f935dda6f17fe746918595

Resubmissions

11/03/2024, 18:13

240311-wt6ngsac7w 9

11/03/2024, 18:06

240311-wp2tqsab5z 9

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
11/03/2024, 18:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

update.exe
Size

9.6MB
MD5

3b85c21e398ff87a3106a6d95dcfe422
SHA1

2984f55bcd09779f268cd1f3fc678d9b754170ba
SHA256

eae46c15fad3b0623ed1c72949a4ae430f4efe1f22f935dda6f17fe746918595
SHA512

60252f20cfe61bee1d622dcc7c99e53dab5ff7d9a9e00351b41cdd9b11dd4d0fc7dffc2eb0cdaeec7d4696d83e31ba273da089a79a0496a9be293ed978fe091f
SSDEEP

196608:23MHgPbf5cxqMYkdIMhr3IOJQ2/csUHXiDxyklIAjbvVrP8eYfUV:4ltSqMYHMhr3hnwHyDgklIAvVAhUV

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	update.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	update.exe

Executes dropped EXE 1 IoCs

pid	Process
4216	update.exe

Themida packer 25 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1756-1-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp	themida
behavioral1/memory/1756-2-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp	themida
behavioral1/memory/1756-3-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp	themida
behavioral1/memory/1756-4-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp	themida
behavioral1/memory/1756-5-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp	themida
behavioral1/memory/1756-6-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp	themida
behavioral1/memory/1756-7-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp	themida
behavioral1/memory/1756-8-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp	themida
behavioral1/memory/1756-9-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp	themida
behavioral1/memory/1756-10-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp	themida
behavioral1/memory/1756-11-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp	themida
behavioral1/files/0x000700000002a7e8-73.dat	themida
behavioral1/files/0x000700000002a7e8-100.dat	themida
behavioral1/files/0x000700000002a7e8-101.dat	themida
behavioral1/memory/4216-103-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp	themida
behavioral1/memory/4216-104-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp	themida
behavioral1/memory/4216-105-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp	themida
behavioral1/memory/4216-106-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp	themida
behavioral1/memory/4216-107-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp	themida
behavioral1/memory/4216-108-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp	themida
behavioral1/memory/4216-109-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp	themida
behavioral1/memory/4216-110-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp	themida
behavioral1/memory/4216-111-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp	themida
behavioral1/memory/4216-112-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp	themida
behavioral1/memory/4216-113-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	update.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	update.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1756	update.exe
4216	update.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133546540810869672"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\update.php:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	chrome.exe
2676	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	update.exe
Token: SeDebugPrivilege	1756	update.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 3912	2676	chrome.exe	97
PID 2676 wrote to memory of 3912	2676	chrome.exe	97
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 2556	2676	chrome.exe	98
PID 2676 wrote to memory of 4964	2676	chrome.exe	99
PID 2676 wrote to memory of 4964	2676	chrome.exe	99
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100
PID 2676 wrote to memory of 5068	2676	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:580

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5064

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe6ce59758,0x7ffe6ce59768,0x7ffe6ce59778
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1824,i,5352294483040836412,6889316323743090789,131072 /prefetch:2
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1824,i,5352294483040836412,6889316323743090789,131072 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1824,i,5352294483040836412,6889316323743090789,131072 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3180 --field-trial-handle=1824,i,5352294483040836412,6889316323743090789,131072 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1824,i,5352294483040836412,6889316323743090789,131072 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3656 --field-trial-handle=1824,i,5352294483040836412,6889316323743090789,131072 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1824,i,5352294483040836412,6889316323743090789,131072 /prefetch:8
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1824,i,5352294483040836412,6889316323743090789,131072 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4960 --field-trial-handle=1824,i,5352294483040836412,6889316323743090789,131072 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4664 --field-trial-handle=1824,i,5352294483040836412,6889316323743090789,131072 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5316 --field-trial-handle=1824,i,5352294483040836412,6889316323743090789,131072 /prefetch:1
  2⤵
  PID:732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1824,i,5352294483040836412,6889316323743090789,131072 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 --field-trial-handle=1824,i,5352294483040836412,6889316323743090789,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2220

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4472

C:\Users\Admin\Downloads\update.exe
"C:\Users\Admin\Downloads\update.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2928d5e5f81b240614b8620b23a30a5c

SHA1
5616ec5b37a48907b7cd97df33a7494b35c89e8a

SHA256
330fb380ebb180875200eb148f1dd1d577e780662b3e06d3ae06694c3fc17dd2

SHA512
49663ba6a892015d227870c310d1b5c809611bd19a7418e2235ce266ad1d3d8d226ffde598540abc5300868e0168397c26a05f17ef27ab6feec69a5341860faf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
8100f969883dda9a168f62febca8ec4e

SHA1
1bc516f03689523b34b3fb7c4bf703a7bce8298e

SHA256
976ae6501d0fe36dd14e43de3044e6e76b93c43d7245869e72bf65d4dca92c02

SHA512
db24c276e746eaff4f12799203240e963fc7386b1a4b53035dc84da311c876dd36355b392d6887913d080a41b04d825cfc24fb82d5ca8a6518c82d6c5448e646

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ee8f372e7c4b06ef1e233afe99667f88

SHA1
0cad220909cc61ad4ab93d34fac48ed59508be6f

SHA256
5d2e8359da5659d2c4e417259e54995bf9bb4407f053866ae8b3745ca35f43fc

SHA512
e9156890b533afb970ca5a384957803b9cfefa6f281757b653b9eea2ddaac0f48a442945db9e4d60e0072f9a0add3ac94b9f2ba6b7394ad8e1bda1b7a9ae5a60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9b63a224d16b5d9fb6ef7a329395017e

SHA1
053e06661cc0c6eba7c7e1d451bb96c321db9c9f

SHA256
4469b0c090605af3879ad37f9946f57cfd74547380ea1c589550f95cd5df9324

SHA512
376e7ca552e594e1502a82d01404220566de6d9a11a31fee9b40d6f6e843b1f5975e8eeb7a40166247edd6b14629dbce25c43f61360df337907c991ed22d5912

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
de31f797d783c859d8c5957c565031eb

SHA1
7f4bbb6c7a4574ec0fb96372e7d964f1f5458a06

SHA256
3f8967512f04a8dbd8beeb9c3d03cb46b2fafec19ce72e9624a6287ea4ca7d15

SHA512
22acb724c5ea1be6b6da706155debe7a6aaed0edb415d95e9ebff4ed7736ac0cf413bb1adb8fb8be81b580da401718e9d9cab3875848c4393497d5522f6f9381

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
583427a5ef45eabca7b4e9189ac005b7

SHA1
7182f1a9587e3e33fa2bec2167d8785c65f68ed6

SHA256
16d2a754279b768d324bb1e50035a84a2633aafa668f1364f78e7213a89b1ec0

SHA512
ff33a12482174406bb69ae003c90d53c6dc461a9def88822960658c8066e3b1026a4a4a3988a047d1fe93c5bc4bfbb668b51e9444bcaad70e73bdc28ef63e4b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
f910e2d2d827def43da3a55ff4743cba

SHA1
2f7681ecece06fb5727ced58c876239420fd4463

SHA256
d409c9fd1705eceae5f9d7c16ad8af021e4aa0b35e734bbc1fdfd0281b072058

SHA512
acad3c23ce4ab28de7fc549887e976fbb766168621c37d05074469f6d27a510a4a373da5ca7b99c3105d03088cfbaf3295882982cde1324777122bdd9661ce15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
5834942ae97a1a01160d53c18a564327

SHA1
affa2fe5e2cd0ad3603f577b2b3df7111a54e430

SHA256
bf95c63d91a89efea5dd8c06887f20519f6583fa21cf8cc8502d122f2aaf01e5

SHA512
3c5ec3aea6aac6161374269709bebecefeddc8965c7723274d7a5b61128806207d878cdb3067f44cc83385cbbd0ca2052461f6a1345fe16d317a0e6d1a43df6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58c9b4.TMP

Filesize
89KB

MD5
e83dedb59a937d84d974b179a8121f26

SHA1
c38411d0b105b31196f920170847ff18a259c36c

SHA256
60ce2d6e76da28d8667374cc14845843179a0b34ec08634541cf1828e431bad0

SHA512
613360345becc9a74b5987b3f72fb0ff76bfdd13ff476dbacc465210cf4c9c2bf9df5366263a30f4e4ea129aa872b32692e6de753cf7bea2a0a66b0d08429979

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\update.exe

Filesize
7.8MB

MD5
137cdab60968954d74707ecea4042d17

SHA1
34b1f7b26afb589565ae7475318ca1e949b47cbf

SHA256
deab4d565a357f967bfc2f89f7baa030ece525e8c84aa1488c0b6f1d62c6f711

SHA512
d336302224e16f2970d49f79ac7313bc3eb7dc093c61ad6e9b992aaecf2a5d0fdee8e20163a3d1e3decedba0402b46f30c3c4b6c34ae664939f484533ec22754

Download Submit
C:\Users\Admin\Downloads\update.exe

Filesize
5.7MB

MD5
ace8324d5600388022fef8b440f0feef

SHA1
9f84544447c8839d257d7d9cfc793f8481dfbe93

SHA256
e364592e52af97afcece06ec2358c2c46f724e8433956aacb6a431e941d8fcda

SHA512
489c49dd1441551877deab04d99242658d09120e7c73588c47f5edaa7283434f1743b537c897c9cf69283eb341fbee15e923b8d2b696c5d038f0cfc2430a00ab

Download Submit
C:\Users\Admin\Downloads\update.php.crdownload

Filesize
9.6MB

MD5
3b85c21e398ff87a3106a6d95dcfe422

SHA1
2984f55bcd09779f268cd1f3fc678d9b754170ba

SHA256
eae46c15fad3b0623ed1c72949a4ae430f4efe1f22f935dda6f17fe746918595

SHA512
60252f20cfe61bee1d622dcc7c99e53dab5ff7d9a9e00351b41cdd9b11dd4d0fc7dffc2eb0cdaeec7d4696d83e31ba273da089a79a0496a9be293ed978fe091f

Download Submit
C:\Users\Admin\Downloads\update.php:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1756-10-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp

Filesize
23.4MB

Download
memory/1756-12-0x00007FFE8EA00000-0x00007FFE8EC09000-memory.dmp

Filesize
2.0MB

Download
memory/1756-11-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp

Filesize
23.4MB

Download
memory/1756-0-0x00007FFE8EA00000-0x00007FFE8EC09000-memory.dmp

Filesize
2.0MB

Download
memory/1756-9-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp

Filesize
23.4MB

Download
memory/1756-8-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp

Filesize
23.4MB

Download
memory/1756-7-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp

Filesize
23.4MB

Download
memory/1756-6-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp

Filesize
23.4MB

Download
memory/1756-5-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp

Filesize
23.4MB

Download
memory/1756-4-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp

Filesize
23.4MB

Download
memory/1756-3-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp

Filesize
23.4MB

Download
memory/1756-1-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp

Filesize
23.4MB

Download
memory/1756-2-0x00007FF6388E0000-0x00007FF63A043000-memory.dmp

Filesize
23.4MB

Download
memory/4216-104-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp

Filesize
23.4MB

Download
memory/4216-105-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp

Filesize
23.4MB

Download
memory/4216-106-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp

Filesize
23.4MB

Download
memory/4216-107-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp

Filesize
23.4MB

Download
memory/4216-108-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp

Filesize
23.4MB

Download
memory/4216-109-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp

Filesize
23.4MB

Download
memory/4216-110-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp

Filesize
23.4MB

Download
memory/4216-111-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp

Filesize
23.4MB

Download
memory/4216-112-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp

Filesize
23.4MB

Download
memory/4216-114-0x00007FFE8EA00000-0x00007FFE8EC09000-memory.dmp

Filesize
2.0MB

Download
memory/4216-113-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp

Filesize
23.4MB

Download
memory/4216-103-0x00007FF6CD990000-0x00007FF6CF0F3000-memory.dmp

Filesize
23.4MB

Download
memory/4216-102-0x00007FFE8EA00000-0x00007FFE8EC09000-memory.dmp

Filesize
2.0MB

Download