Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/06/2024, 12:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe
Resource
win11-20240508-en
windows11-21h2-x64
14 signatures
150 seconds
General
-
Target
0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe
-
Size
2.3MB
-
MD5
79893e931a1368ba6724110ca28247fd
-
SHA1
c0ac618dbadc8862bb774746d4e6184354fa0872
-
SHA256
0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182
-
SHA512
3e06fad67a5bb4260fe4d13b208428315258a75f6f014bedfb8ae9544be3b6d1ee5cfcb22232729e9006f25360a5996bb6d6402990b4af742c578967e71aa75e
-
SSDEEP
49152:R75gfdDlqnt41NdL7Lo45+5gYx+m+l6Id+csx+GV22i:hSqnt41P7RE5Zzm6IJu+GX
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe -
AutoIT Executable 18 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3556-3-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-4-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-6-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-5-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-7-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-9-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-10-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-11-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-12-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-13-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-48-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-64-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-89-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-90-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-91-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-92-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-98-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe behavioral2/memory/3556-99-0x0000000000620000-0x0000000000B8C000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639651477964049" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 824 chrome.exe 824 chrome.exe 5064 chrome.exe 5064 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 824 chrome.exe 824 chrome.exe 824 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
pid Process 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 824 chrome.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3556 wrote to memory of 824 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 77 PID 3556 wrote to memory of 824 3556 0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe 77 PID 824 wrote to memory of 2840 824 chrome.exe 80 PID 824 wrote to memory of 2840 824 chrome.exe 80 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 2492 824 chrome.exe 81 PID 824 wrote to memory of 992 824 chrome.exe 82 PID 824 wrote to memory of 992 824 chrome.exe 82 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83 PID 824 wrote to memory of 3712 824 chrome.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe"C:\Users\Admin\AppData\Local\Temp\0544ce429a95ba5699c43d4ff5f5609f245105c82388296e852b5ad3e2ba7182.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdb439ab58,0x7ffdb439ab68,0x7ffdb439ab783⤵PID:2840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1832,i,4636434745607773057,17345183991550480859,131072 /prefetch:23⤵PID:2492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1832,i,4636434745607773057,17345183991550480859,131072 /prefetch:83⤵PID:992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1832,i,4636434745607773057,17345183991550480859,131072 /prefetch:83⤵PID:3712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2808 --field-trial-handle=1832,i,4636434745607773057,17345183991550480859,131072 /prefetch:13⤵PID:1892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2816 --field-trial-handle=1832,i,4636434745607773057,17345183991550480859,131072 /prefetch:13⤵PID:2160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4172 --field-trial-handle=1832,i,4636434745607773057,17345183991550480859,131072 /prefetch:13⤵PID:748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 --field-trial-handle=1832,i,4636434745607773057,17345183991550480859,131072 /prefetch:83⤵PID:2296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1832,i,4636434745607773057,17345183991550480859,131072 /prefetch:83⤵PID:1928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1832,i,4636434745607773057,17345183991550480859,131072 /prefetch:83⤵PID:1628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1832,i,4636434745607773057,17345183991550480859,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5064
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD54ddec32dd010907661111d388e965145
SHA1dd7c3040af27017ca61af9cdc2380a42080bd1ea
SHA256a42797fe43991f511169edc34fa17d96fc6349690f7d05c9354a68ca4ec81152
SHA512e10bc4b53cdb39dd1db1f447ec5f49a1b49fa5461fde4963b61804bcd277e1b2031cf73f5901d6aaad4ef0df5df596a1101905416218a3a08ab33cfb9d697b42
-
Filesize
2KB
MD5b6283f44d1d4ad5e638e96656358b424
SHA162c44fb4e15bd531d4dc9f0e88b94832d3b53826
SHA25661ed2584aca59b40326319743f20b39c6ec8b972f658cab2ef4b27a47d64c429
SHA512d544c8ae5006e8da289d88c743e9a2198553b506e1fe1e0c4e2d133cdf7783b1f697e055c1f5f6d04f84db9f81430ac788294cb29ddb2720082c9bdceb67244c
-
Filesize
2KB
MD5ef3322a54edb10a39604a426e7753ea7
SHA1711b691be113fa736b427d485b4af1f4d827006b
SHA2563bd21d0a753ff0cd77213a3ef6289a99a70f75ff32254e814b6a26b89bd2135e
SHA51278d24453ffd5bec1e3afa2ea985fc4026bfdd36559f6763c685b587907a08c86fc7755c0cfaad67ddf136538b3c35b43b9c490a3ab3a7c8cc1ffe73e3bf89f09
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5d0c162959358efa5f131af6732a5530c
SHA1f3a5e6500e1553d7725365fd115ad8e4394e1bf2
SHA2560dd7e1ca7f40225f6021c68304a3732d9e82a6b86fcdb1ff510f3fa1756270bd
SHA512bd100caf913f3f6c570f32048bfc6d255e62b03cf69f6c789e00073d613bc7cef6a7e3d7c564330ff7c31014fb6ef3a986b74fc378ac5745e46c87826cef21e9
-
Filesize
7KB
MD572e2e90e873f90d6d9c2afcb59a340f0
SHA193f0a3513739de26dfb64148f7be7c75c1cfe4aa
SHA256e9bd3cca2083db3c0513121d89d768436d4cbcf9d76753a2137b1a23b9c4e3cd
SHA512b2accaa7fb9a71c2f4246575a31bc1786df276dc68e7dcdabdd1cc330f3d7c8748df86a7a9025618e7477c0c84d874841039a56da8d912dc6fa7ae5f50317f87
-
Filesize
16KB
MD5478bef65415f705a0c2fbe7568890598
SHA1565d6728ddae400a28fa4cfaa8de1107e39b2f17
SHA256cd64675b78554484f7e51f0228010c1a0f8ad53257d7ee8a5eaefa80aab4aeef
SHA512464f8acc9d654f04263ab2bb20e83e4a86a9869a8be1206f75ad04ade227d5981ad417846462c166eac57e288a225e529c2ddf9b653cd65bda2679769259940c
-
Filesize
273KB
MD5edd3b9233cab25c316ed8a7585b5de72
SHA1d63deaa6264620564eda615bb145bee706a435e1
SHA256197058729b998cffb2618a81342184548a6c4469030478c3e736e68f8fdfa46c
SHA512b53ec82f346e08bf03f80f95a2c6555c5e8e561a49cde64ed7e319579479dc4adcefdce598d21ab9caae7f738948381d8cecdcef87d6370aa71ed60add4f4607