de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
20-06-2024 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
Size

2.3MB
MD5

8315efc4d16754a5d02938270f6ca01b
SHA1

085eb12a0bc268a05e8dcc0b796991a475192767
SHA256

de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58
SHA512

14be79780f196ce086cce25f43ac93d049df551dd12c68ef19aef3a3bfd046385d09feae24dcdcd17176bcaa39aa5cea005242348a5718f88e4bf172e3156c51
SSDEEP

49152:HBNwyQG51moKIMzj8cVUy++WptIDWnOvm8W0LM8dAL4FedduLGRp+513:XZz11MzQGL++Wp0vvm58gduC6513

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe

AutoIT Executable 11 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4728-3-0x0000000000260000-0x00000000007E1000-memory.dmp	autoit_exe
behavioral2/memory/4728-4-0x0000000000260000-0x00000000007E1000-memory.dmp	autoit_exe
behavioral2/memory/4728-5-0x0000000000260000-0x00000000007E1000-memory.dmp	autoit_exe
behavioral2/memory/4728-30-0x0000000000260000-0x00000000007E1000-memory.dmp	autoit_exe
behavioral2/memory/4728-38-0x0000000000260000-0x00000000007E1000-memory.dmp	autoit_exe
behavioral2/memory/4728-49-0x0000000000260000-0x00000000007E1000-memory.dmp	autoit_exe
behavioral2/memory/4728-50-0x0000000000260000-0x00000000007E1000-memory.dmp	autoit_exe
behavioral2/memory/4728-51-0x0000000000260000-0x00000000007E1000-memory.dmp	autoit_exe
behavioral2/memory/4728-52-0x0000000000260000-0x00000000007E1000-memory.dmp	autoit_exe
behavioral2/memory/4728-53-0x0000000000260000-0x00000000007E1000-memory.dmp	autoit_exe
behavioral2/memory/4728-56-0x0000000000260000-0x00000000007E1000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633759280542483"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
3788	chrome.exe
3788	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
3788	chrome.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 3788	4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe	77
PID 4728 wrote to memory of 3788	4728	de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe	77
PID 3788 wrote to memory of 4468	3788	chrome.exe	80
PID 3788 wrote to memory of 4468	3788	chrome.exe	80
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 792	3788	chrome.exe	81
PID 3788 wrote to memory of 2724	3788	chrome.exe	82
PID 3788 wrote to memory of 2724	3788	chrome.exe	82
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83
PID 3788 wrote to memory of 4852	3788	chrome.exe	83

C:\Users\Admin\AppData\Local\Temp\de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe
"C:\Users\Admin\AppData\Local\Temp\de0f393bb2ba0f8da0300dcd6c7c0db03b915222eed80e287b00b4b0a3c85b58.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee73ecc40,0x7ffee73ecc4c,0x7ffee73ecc58
    3⤵
    PID:4468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,8727332354539523622,7922131014833474028,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1816 /prefetch:2
    3⤵
    PID:792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,8727332354539523622,7922131014833474028,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2108 /prefetch:3
    3⤵
    PID:2724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2160,i,8727332354539523622,7922131014833474028,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2392 /prefetch:8
    3⤵
    PID:4852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,8727332354539523622,7922131014833474028,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3108 /prefetch:1
    3⤵
    PID:4052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,8727332354539523622,7922131014833474028,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3144 /prefetch:1
    3⤵
    PID:2652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4488,i,8727332354539523622,7922131014833474028,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4572 /prefetch:8
    3⤵
    PID:3076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4560,i,8727332354539523622,7922131014833474028,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4520 /prefetch:1
    3⤵
    PID:4828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4860,i,8727332354539523622,7922131014833474028,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3096 /prefetch:1
    3⤵
    PID:2176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=212,i,8727332354539523622,7922131014833474028,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4280 /prefetch:1
    3⤵
    PID:4908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4964,i,8727332354539523622,7922131014833474028,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4960 /prefetch:1
    3⤵
    PID:4384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3736,i,8727332354539523622,7922131014833474028,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4652 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4788,i,8727332354539523622,7922131014833474028,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4652 /prefetch:1
    3⤵
    PID:2676

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4e0dae946247c4f3a556351ec5c97ec4

SHA1
9af554e649ee6cd459010d9d8abe9fd9f4a54035

SHA256
ad76780f4c535dd804da56224533c6a8dee552b271cfe254a5e96623978e8897

SHA512
5bfa1062ba0a67cecde5605fefda530ad28c3f9c00480195f7074f99becac5a6f7a96913dfc613381b4bd5ed5e2a762fec9e1b74bc1ffa1753e40c0d97c56756

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6154e9b8a6b5dfaba7c29afc91d94715

SHA1
cb478005a40f026e4b88c9317f02df3f9b6a2536

SHA256
50fde74efe27a2f6f667b27105cb262b225d6ee5557c145bf8b6445287bf919b

SHA512
20e4cf518048736a261c318d9fa75ce42414471ad79772f5def3181c5547a2583a419ff455f44b24e02755b68dd4908173e252ff5cc21611f87ddfabd3aca580

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dc846e12cae63c751a7a3601174e8d16

SHA1
d971393ca5c801c38a769a62c846f7db9c2b6daa

SHA256
dcb08ad898473f2fb087a3e4e663a6f3c3dd8c9c4272b5672ea1918e819f4e1d

SHA512
74c87a8979100660084dd5dbdc817555c1f4342b1e6c73b1ba37cccbdf0541064838015dc0f40ad6cfa781f10e4854ec94c84a26254a3ec850bbcabd66d9399d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
40b83af1e2ac3294189b668a1116281a

SHA1
8b5a206fefd06823a9b2d05837c222e555d625fa

SHA256
eb2bfc5a9347ec9c99b572fa82b1a3997a8a8a7ea180a7d8ccb0f5f2a8c989fe

SHA512
4494f4dc7cc8b1eaec0394dfe7924925fccdf0bd9abdffa7cd328912c03adcf917fc9fb1bd5dd0bb1085ac8edf6822b5ef366bbd7d6b593f30b98e4caf008f4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7dcf347cc0d4dd45d24b3479c2a64df3

SHA1
06451df0bf207667fa84e4c28db288e98d7d6f6c

SHA256
2743fa3214cb3a540070b0a0602ddcc6ed0e01d5fc8c21406c377b82af717e92

SHA512
26194d7b2c505dfb109ae85ecdd9e24f339f5c13161d6feaddc7ea2ec5bea8a377971f28fc93a64c4eabc5d5370332f9aafb9d82469f96ba865d6e9c2ed3d541

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a274fdf708a2b1b93e30f41624a0381d

SHA1
819809a85d390a807aa5c6c68e917ed5d791d381

SHA256
b3f151bd4163be7d2d42fdb00e013892485c86ba635511fb82317bacc6d238ab

SHA512
de38585b7c2647c064b44ec8ed6d7ba5a1f74bc4a4aa3743e7c63755052e1dc6526035289e0f4fe5b204799a55cc05193e8dc67bcaee50c3f6430cd6771a4694

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
27e7f4b6062b0f8495df4f5153b824c2

SHA1
25c708d20e809eb9c3c7b47cdc11264eff9050be

SHA256
9b3dcbe83f578b2ed015a6d54ad009d8f016b09927e3ab2a07b90bbf56518eef

SHA512
664dfc4718193fc3085287394c8715dfc5880c55c2b59608415ad58bfb8db9112f63fe31faa617cc45df2a31175506511125f594a8b554d5732bf24defb861c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b22096791d7464ec96a6a93cdd4c5933

SHA1
81e68705dc5821576861867ed495e68048a16f63

SHA256
822d47ff93fe5054e9884764949764fbfd817f272a2e14e0b09772bf42b32f62

SHA512
e9edb7342ff2be2331bd3d7f6f81c47c3be125b7f60093b484a13de7338de1fd0908f70cb6deea8a3d9a987e128398b6d9b3a2f2553d4564b35f483927a13660

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
a906871e16bc844c6fdf44efbbd66a15

SHA1
cbe6e1df31fbad91e70f40ef5c754aef79b42679

SHA256
05cf0a6328fcca4ee1d2c752dd666a8f261ae1f8c8ff6a1b5f18de76baa74143

SHA512
4cf02a49991fcb394db4a663c5d21e3822dd6885dc9fe22938e9fa08892a055265d4dcdc043710ea1b6795d33b83c271dd80d4cc4a590c562df28b9dfbf90cd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
e3dcf17db2d61c286f966493311032ba

SHA1
c3cdbc98cd712d5d8d6dc1eb8ba23a308e5d9a54

SHA256
5742da8a5a015b9e9d073ab2ec8f430dad00fd189866c81324fadf4212f458fd

SHA512
1c2acdd838e21b430d8fc3065f4a49a6bb023cabd6258e7e73e11b141686831f867cc1ccf52750ea435be7a7802e3fad41e74d060ae91f5ccf1fec5278975553

Download Submit
memory/4728-53-0x0000000000260000-0x00000000007E1000-memory.dmp

Filesize
5.5MB

Download
memory/4728-30-0x0000000000260000-0x00000000007E1000-memory.dmp

Filesize
5.5MB

Download
memory/4728-50-0x0000000000260000-0x00000000007E1000-memory.dmp

Filesize
5.5MB

Download
memory/4728-56-0x0000000000260000-0x00000000007E1000-memory.dmp

Filesize
5.5MB

Download
memory/4728-49-0x0000000000260000-0x00000000007E1000-memory.dmp

Filesize
5.5MB

Download
memory/4728-38-0x0000000000260000-0x00000000007E1000-memory.dmp

Filesize
5.5MB

Download
memory/4728-0-0x0000000000260000-0x00000000007E1000-memory.dmp

Filesize
5.5MB

Download
memory/4728-52-0x0000000000260000-0x00000000007E1000-memory.dmp

Filesize
5.5MB

Download
memory/4728-51-0x0000000000260000-0x00000000007E1000-memory.dmp

Filesize
5.5MB

Download
memory/4728-5-0x0000000000260000-0x00000000007E1000-memory.dmp

Filesize
5.5MB

Download
memory/4728-4-0x0000000000260000-0x00000000007E1000-memory.dmp

Filesize
5.5MB

Download
memory/4728-2-0x0000000000261000-0x00000000002C5000-memory.dmp

Filesize
400KB

Download
memory/4728-3-0x0000000000260000-0x00000000007E1000-memory.dmp

Filesize
5.5MB

Download
memory/4728-1-0x0000000077726000-0x0000000077728000-memory.dmp

Filesize
8KB

Download