b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
03/07/2024, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
Size

2.3MB
MD5

4e69247d41d75a4b1c61563092ac9d55
SHA1

7567248c7045cda07ce9bf93c838952d4a646aec
SHA256

b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a
SHA512

322fa972e48c5ee0d7f8f4e94605036c13754aee6e6ee1cf3d5faeae34a3a257c129bab401aa4644dbd7c57504d0c8a977033e2e40e5d4fe98aaca372a75eef5
SSDEEP

49152:Lok2vyC4dYAf0cTXjuQ2NSHGYi2wXs5ubjqAUqakUsJ6NbR:UkYOjyAH1us5u2qXj

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe

AutoIT Executable 17 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4112-3-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-4-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-5-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-7-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-8-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-9-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-10-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-39-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-40-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-44-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-65-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-66-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-67-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-68-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-72-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-71-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe
behavioral2/memory/4112-70-0x00000000009D0000-0x0000000000F2C000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133644688450468447"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
4252	chrome.exe
4252	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
3984	chrome.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 3984	4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe	77
PID 4112 wrote to memory of 3984	4112	b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe	77
PID 3984 wrote to memory of 3484	3984	chrome.exe	80
PID 3984 wrote to memory of 3484	3984	chrome.exe	80
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4896	3984	chrome.exe	81
PID 3984 wrote to memory of 4584	3984	chrome.exe	82
PID 3984 wrote to memory of 4584	3984	chrome.exe	82
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83
PID 3984 wrote to memory of 2296	3984	chrome.exe	83

C:\Users\Admin\AppData\Local\Temp\b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe
"C:\Users\Admin\AppData\Local\Temp\b6a8bb6b261bde529acb07c7a780fcb7a582db14da397adcdf7352533e1b371a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe5053ab58,0x7ffe5053ab68,0x7ffe5053ab78
    3⤵
    PID:3484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:2
    3⤵
    PID:4896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:8
    3⤵
    PID:4584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1764 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:8
    3⤵
    PID:2296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:1
    3⤵
    PID:1516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:1
    3⤵
    PID:4892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4364 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:8
    3⤵
    PID:1912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:8
    3⤵
    PID:2488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4356 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:1
    3⤵
    PID:4696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4488 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:1
    3⤵
    PID:32
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4372 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:8
    3⤵
    PID:3792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:8
    3⤵
    PID:3392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4376 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:8
    3⤵
    PID:5016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4672 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:1
    3⤵
    PID:244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1520 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:1
    3⤵
    PID:4964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3440 --field-trial-handle=1872,i,7819638095410499397,6573268828026683528,131072 /prefetch:1
    3⤵
    PID:2560

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5c601243ceb5619f6c511f9cd8a609fc

SHA1
107f7b1c2163a194621d455de0aaec65ad740d82

SHA256
48d14ca80f3f439be5ba3153e66646f1cf8912cb6b676a8e75d6c994cfcb402d

SHA512
9d47dd9012dfde9ea53e06c70a26f9910b41da01d1c40497ae2aa3cda452525f6007993d6e8c9c34998475507be6a8ac249e33ce60087e11e01a07a8fb7e7e2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
0f32f474306db7fbe3eebe6187214a6f

SHA1
c2acdc6ff22c015145a108a9d292a3ea1a061378

SHA256
a42575af9128c5018fc3108d29211c93bbc3e430b64603ca4e9e71cfccd098a1

SHA512
b640c96e7b36c7de6daf0933781fd9163713a1c248ae756f9212e06dffc42478279fa5f38247c3b3e8dfba915138a62b1f372641b31b5ff41e5c3a0f53c0f7dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
f439d54b0c470b5a50820db8da0fb041

SHA1
d2a6985a696a2b8838e5a4aafed1513bbdb3562d

SHA256
4aa5d65d2f18585d70d80051e2902015dda5d3c149c2d310354fbd9c94322e59

SHA512
1ba7460344721847688cbb27db112d556c0a9051d770b4ec9103515dc775c90f1dfa5258fc777be1dc17dc08954ba795f5f387e27ac6770cb8f4e5e8605b296e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
85KB

MD5
2aa86cd22de716d648c7f102dae79978

SHA1
426e7010f8902e4e0e4f1cf01cdf50ff4b7f2321

SHA256
3fa12d17c3ad00cf30bc62db8ef2796579413c5ad3ef60680dff570c2171a5ad

SHA512
aaa308d3dc9510d8988369ca33f91fbfa9a19041c9fb0a589a95b44ff93d5a13fef600acb6b49793b2dd3e9669ab0f69449ff9cd21e74c20b357acf1eeb6b10e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e445.TMP

Filesize
82KB

MD5
534b47fb99f1b30d6c0bb728e4b4467e

SHA1
38423240d2e13020fde31f89d21e78715e4bf06c

SHA256
104961557fae8ed20fbd47a5adac2fd7000b682530211831c80ba67b3bd46859

SHA512
cffaa439e844a1ab2c98824dfaeb4ed1b260360644e8943f85f7b28aeb70132af808799abad2bd569f8a66f47cc8e7d66557e5c0559dde8a59969c4199345a01

Download Submit
memory/4112-7-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-4-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-10-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-8-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-0-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-5-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-39-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-40-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-44-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-9-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-2-0x00000000009D1000-0x0000000000A35000-memory.dmp

Filesize
400KB

Download
memory/4112-65-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-66-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-67-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-68-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-72-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-71-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-70-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-3-0x00000000009D0000-0x0000000000F2C000-memory.dmp

Filesize
5.4MB

Download
memory/4112-1-0x0000000077986000-0x0000000077988000-memory.dmp

Filesize
8KB

Download