Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 16:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
Resource
win11-20240419-en
windows11-21h2-x64
16 signatures
150 seconds
General
-
Target
de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
-
Size
2.3MB
-
MD5
8315efc4d16754a5d02938270f6ca01b
-
SHA1
085eb12a0bc268a05e8dcc0b796991a475192767
-
SHA256
de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58
-
SHA512
14be79780f196ce086cce25f43ac93d049df551dd12c68ef19aef3a3bfd046385d09feae24dcdcd17176bcaa39aa5cea005242348a5718f88e4bf172e3156c51
-
SSDEEP
49152:HBNwyQG51moKIMzj8cVUy++WptIDWnOvm8W0LM8dAL4FedduLGRp+513:XZz11MzQGL++Wp0vvm58gduC6513
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe -
AutoIT Executable 18 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2660-3-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-4-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-5-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-6-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-7-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-8-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-9-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-11-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-12-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-13-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-14-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-15-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-78-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-86-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-94-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-95-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-96-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe behavioral1/memory/2660-102-0x0000000000660000-0x0000000000BE1000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633759305385601" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{03B90D06-F71B-4213-B2EF-F36DB7D10950} chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 1636 chrome.exe 1636 chrome.exe 3764 chrome.exe 3764 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe Token: SeShutdownPrivilege 1636 chrome.exe Token: SeCreatePagefilePrivilege 1636 chrome.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
pid Process 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 1636 chrome.exe 1636 chrome.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe -
Suspicious use of SendNotifyMessage 60 IoCs
pid Process 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 1636 chrome.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2660 wrote to memory of 1636 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 84 PID 2660 wrote to memory of 1636 2660 de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe 84 PID 1636 wrote to memory of 1840 1636 chrome.exe 86 PID 1636 wrote to memory of 1840 1636 chrome.exe 86 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 2628 1636 chrome.exe 87 PID 1636 wrote to memory of 4004 1636 chrome.exe 88 PID 1636 wrote to memory of 4004 1636 chrome.exe 88 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89 PID 1636 wrote to memory of 2696 1636 chrome.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe"C:\Users\Admin\AppData\Local\Temp\de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc51c6ab58,0x7ffc51c6ab68,0x7ffc51c6ab783⤵PID:1840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1912,i,15172087118542879317,6833640327006667388,131072 /prefetch:23⤵PID:2628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1912,i,15172087118542879317,6833640327006667388,131072 /prefetch:83⤵PID:4004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1912,i,15172087118542879317,6833640327006667388,131072 /prefetch:83⤵PID:2696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1912,i,15172087118542879317,6833640327006667388,131072 /prefetch:13⤵PID:4444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1912,i,15172087118542879317,6833640327006667388,131072 /prefetch:13⤵PID:208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4232 --field-trial-handle=1912,i,15172087118542879317,6833640327006667388,131072 /prefetch:13⤵PID:4116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4488 --field-trial-handle=1912,i,15172087118542879317,6833640327006667388,131072 /prefetch:13⤵PID:3488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4464 --field-trial-handle=1912,i,15172087118542879317,6833640327006667388,131072 /prefetch:83⤵PID:1496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4436 --field-trial-handle=1912,i,15172087118542879317,6833640327006667388,131072 /prefetch:83⤵
- Modifies registry class
PID:1592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1912,i,15172087118542879317,6833640327006667388,131072 /prefetch:83⤵PID:1092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4760 --field-trial-handle=1912,i,15172087118542879317,6833640327006667388,131072 /prefetch:83⤵PID:4508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1912,i,15172087118542879317,6833640327006667388,131072 /prefetch:83⤵PID:3744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2472 --field-trial-handle=1912,i,15172087118542879317,6833640327006667388,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3764
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
336B
MD5934a6d693bae27afe0656003bed5bfab
SHA16c7983e6b582234ca4c9503ef7820414f621e63a
SHA256e440180f63dcb91b4669551a0bd0534acd01957e4cb831af09c42a348599a6c5
SHA5123574211d5f83ce1b3eb48ea2185283178878e0b68c5b3353e81966762f65f45ded5cd62977d407484188e461c6f1856a76395bc3330d0c27302225d61552a73f
-
Filesize
2KB
MD50e2b004f95df2eda7c3678acaaf852a3
SHA1ccc0500c268dde1fdb176aeded5546e598b654aa
SHA2567f1539f3c0ef1f89fe0864712c29e599b87d3dbcdc9e154175ef07de5bdd0ad3
SHA512efe57e4f2cb177be064c1b862c220ab8b19d993c9ffa07d5c5b83f6c33c0196354fd89556abbe717f8875e8c49af3d6b9dd7b53197ea25911bd669123039c1e7
-
Filesize
2KB
MD5e16e2a9c8ab259037cb0efbae102ac81
SHA14bf4f9b2a16d1032e0a727505e14a72eab78deca
SHA2562ff5bba80ecd021bea9d0fb7fb8a5aa95257f16a9d086e757a87c0def1cb06e3
SHA51272a547891bcfe566ba58a3b4bb859e6af6feafe4a0a519bfe648457edc2fc1302e70299e91961fca75de542fbad7316343537e35c74d075ce9391bbbbf7892dc
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
522B
MD561401853c8c8f599700aa0fdc4779d91
SHA14fc53592a98c9235b88fa14b5b44ab9f83b29de0
SHA256a680eff6007927a0509ae68384d971683e53bdadae4add5b4048e9e0836e1ca9
SHA51237996a6447fc9ac91383aced73bcad657264ec9347bc5633d84a1ba9da05f0214c15d448fc81902c4c97008f675aaa62cb741ce46b8e53d8d3fea509fcfff013
-
Filesize
522B
MD583f6a89b9a997f37ff2eefba14472d3a
SHA1189ea6352f2c6708484d701a0a7fb9ef97443fab
SHA256d05b2f2c0e9c1cb4cd8af41049793144a89486be3b78ca7c3d445e1aa75fae5e
SHA5122cafbcf3ef0924090b594e6979accfd90beaf42dfc2e280d783872eee85b6d1ea3586f48ebd28405360ebc07daf50d8465312794481d272284fd5ecf98ffec54
-
Filesize
520B
MD50069c531b2eed027360027c3ccb64b67
SHA1fccea7843c3cada7c774b14b4a02fccc4cd58489
SHA256768aa9a57631386108ad7078f7b9ab2e4556e6515f87a60898be1c6854abb31b
SHA5129aae70013933038a0953cb55a1e0c1c06e5f83eb1dd68ec9cdc657f588fa0f64c0070fd4b5e61e6c2e077a5cf30a06234ab19004e6510930c46233c619d8dba4
-
Filesize
7KB
MD500e1db0c3ccb66b01f1fe3b1e43ebf2c
SHA1334354892e7252bf81c58033a86a106a1eea783a
SHA25633207f04d82f1a46a70a014c372d5fbf15dbc03356f1e8eb3f42f207814ecd1c
SHA512607b6143b3b165c253f5d3649cf9b4890341e19d2837d0bffffe9c74cf29693a568cc2d1b23a701b674dadd5c3b5d8d3237224e78029c332b95273b6002d2f5a
-
Filesize
16KB
MD51a920633703801642b427f2eea236b5e
SHA1ae583bccfbde6ccb43f930bbb3b1b8d76d0d84e8
SHA2561e7a58a2a67d097308823d778c8fe7e65f20ff3ef88c4d7be3b81cd612094d50
SHA51220233ffe171f126f603ef24265b2e071dfc4dab6a920db55f9d5a3ec104300669bebc2be74133cdc9c9e70578dd06862b7e4dd5501764d678602a48ac2d39464
-
Filesize
278KB
MD5e7033ef5f66fa9b8e43d4391b27a5175
SHA1391ea37c166fb0f9ebd138f08e1bb8ca17896d06
SHA25618f3ce33d4ff2f9fd12b12a4a92e5575d78d1991f130aacd650103194d7a8568
SHA5125f4cc7089b109c3658b58e31a946f67fd3f29567a2983e540bfadce08213603d1a7a51071d4c0ecf126163867de4d8f25e870c0f417a53fcfbd4f8e41199d894