1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
03/07/2024, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
Size

2.2MB
MD5

9f9ed20614b43af7afbdfe94f1f9d57f
SHA1

86f7d864e8b6457828fd90091345c6a67981f221
SHA256

1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a
SHA512

aa2bd936012d2c74686565e2cff28fbf70c8f61845d8836952adcb16dca08261e41b6ae3c1c8dca2be855bdb87b624066b00a6014625f2d17600a88d64f510ef
SSDEEP

49152:FiBavT3YSK5h1mUwSgiNsQbuUaBASxyt/w9mZCu/f3HuBVO0c3J2:USe/1mU5gi5braB3T9mZr/fHuBkc

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe

AutoIT Executable 13 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1596-3-0x0000000000670000-0x0000000000BC1000-memory.dmp	autoit_exe
behavioral2/memory/1596-4-0x0000000000670000-0x0000000000BC1000-memory.dmp	autoit_exe
behavioral2/memory/1596-5-0x0000000000670000-0x0000000000BC1000-memory.dmp	autoit_exe
behavioral2/memory/1596-6-0x0000000000670000-0x0000000000BC1000-memory.dmp	autoit_exe
behavioral2/memory/1596-8-0x0000000000670000-0x0000000000BC1000-memory.dmp	autoit_exe
behavioral2/memory/1596-37-0x0000000000670000-0x0000000000BC1000-memory.dmp	autoit_exe
behavioral2/memory/1596-41-0x0000000000670000-0x0000000000BC1000-memory.dmp	autoit_exe
behavioral2/memory/1596-62-0x0000000000670000-0x0000000000BC1000-memory.dmp	autoit_exe
behavioral2/memory/1596-63-0x0000000000670000-0x0000000000BC1000-memory.dmp	autoit_exe
behavioral2/memory/1596-64-0x0000000000670000-0x0000000000BC1000-memory.dmp	autoit_exe
behavioral2/memory/1596-65-0x0000000000670000-0x0000000000BC1000-memory.dmp	autoit_exe
behavioral2/memory/1596-66-0x0000000000670000-0x0000000000BC1000-memory.dmp	autoit_exe
behavioral2/memory/1596-67-0x0000000000670000-0x0000000000BC1000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133644812278841349"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
3112	chrome.exe
3112	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
2952	chrome.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2952	1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe	77
PID 1596 wrote to memory of 2952	1596	1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe	77
PID 2952 wrote to memory of 3476	2952	chrome.exe	80
PID 2952 wrote to memory of 3476	2952	chrome.exe	80
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 2536	2952	chrome.exe	81
PID 2952 wrote to memory of 4876	2952	chrome.exe	82
PID 2952 wrote to memory of 4876	2952	chrome.exe	82
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83
PID 2952 wrote to memory of 2280	2952	chrome.exe	83

C:\Users\Admin\AppData\Local\Temp\1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe
"C:\Users\Admin\AppData\Local\Temp\1dc4fc7846d417d72faaa40c3da95b68080a9fd6c54951f7cb3b74f75ce59c7a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcbccaab58,0x7ffcbccaab68,0x7ffcbccaab78
    3⤵
    PID:3476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:2
    3⤵
    PID:2536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:8
    3⤵
    PID:4876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:8
    3⤵
    PID:2280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:1
    3⤵
    PID:3588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:1
    3⤵
    PID:2728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4352 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:8
    3⤵
    PID:796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:8
    3⤵
    PID:1968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4176 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:1
    3⤵
    PID:1156
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4484 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:1
    3⤵
    PID:3628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:8
    3⤵
    PID:988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:8
    3⤵
    PID:2388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:8
    3⤵
    PID:1520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4072 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:1
    3⤵
    PID:5028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1580 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:1
    3⤵
    PID:3480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4692 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4660 --field-trial-handle=1856,i,16786193075050034458,7325591204610131054,131072 /prefetch:1
    3⤵
    PID:2484

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a5d402e90296c7d4f32f8c0a8bf3f4fc

SHA1
5741fb01e9bb4d27610f4897359fb2397be62cd2

SHA256
607a92702a9cf024ca1fb14947fca6a25b1a941029330a1b2710be8168f044b3

SHA512
bb69c3f45153a7d1cce0fdaa666ddf13d4344df8d099a7718c46b8ccf4300fdaa22796946bf01d52d7586cee697adec06f1ca80d5b8827f872fc772cc79d8ac4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
a11395ef8a06322800ca3b91682a2c72

SHA1
1cd9e64bb68a4d12e7e7a487e008e2232de0125b

SHA256
2b1579d2d1eb457845252baf959c4c84ebf23f0948944b20acdf2967fdf0ec14

SHA512
9429e77b84df4e4cd7d7eb762261572642ff1eecc57641eb2e5a09161836445395fb3226c76dce671503897d4a3b6b9d4197c64169164d52fa8569132c77ecd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
96ba328d24781fcbbcab34586806740c

SHA1
f548fc7ac392f34b4b4d96a63d12dc2ea0a2dc10

SHA256
2fc2783bc640c88c4e7ec32eb030b1d865bd1991f138161762429a38cf877079

SHA512
2c78bffef78b4a6ffb3d992c5d8948e2833b6b1d312a4809997b3714c4042c4f351ccff1826c8fbaacf5227c52b5ec74102b3c452f5e22aacf2357013effb4c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
85KB

MD5
3f2fd744700f399c3bcc234eafe0ef8c

SHA1
07c28dd65b3456bc4c761fa8debaf5d144946429

SHA256
a1e3000229cbbfac5e0ff16d9795d62703d6cbb8e16ea799b123c361feff02e0

SHA512
c5fb02a02e6973919abf82b7526b15556d1628f651431a93fa7ca2e8ad0502fffe5055888c08d9116673ef8549392f89070c7fcd4bf8fcc8553dbbe6f95655ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5811ce.TMP

Filesize
82KB

MD5
dbd3f7ec8683d443db89a5d4f2e7ed79

SHA1
c1ec0270fe927f5eb1e62be66095d3d46b2e8298

SHA256
28e2b2b05620cea848ae5c4cab6abad8b64f233c32bcbfe89e17cf824d934464

SHA512
ef2c67bf644d22b9d86fba671d8ee386e9d52c293a1f992cd92c4f223d83c235742b3e646a0cce07b8dcaa0f3474ef5884a67ebd6da4f7d44a5f344340af1da5

Download Submit
memory/1596-5-0x0000000000670000-0x0000000000BC1000-memory.dmp

Filesize
5.3MB

Download
memory/1596-3-0x0000000000670000-0x0000000000BC1000-memory.dmp

Filesize
5.3MB

Download
memory/1596-6-0x0000000000670000-0x0000000000BC1000-memory.dmp

Filesize
5.3MB

Download
memory/1596-0-0x0000000000670000-0x0000000000BC1000-memory.dmp

Filesize
5.3MB

Download
memory/1596-37-0x0000000000670000-0x0000000000BC1000-memory.dmp

Filesize
5.3MB

Download
memory/1596-41-0x0000000000670000-0x0000000000BC1000-memory.dmp

Filesize
5.3MB

Download
memory/1596-4-0x0000000000670000-0x0000000000BC1000-memory.dmp

Filesize
5.3MB

Download
memory/1596-8-0x0000000000670000-0x0000000000BC1000-memory.dmp

Filesize
5.3MB

Download
memory/1596-62-0x0000000000670000-0x0000000000BC1000-memory.dmp

Filesize
5.3MB

Download
memory/1596-63-0x0000000000670000-0x0000000000BC1000-memory.dmp

Filesize
5.3MB

Download
memory/1596-64-0x0000000000670000-0x0000000000BC1000-memory.dmp

Filesize
5.3MB

Download
memory/1596-65-0x0000000000670000-0x0000000000BC1000-memory.dmp

Filesize
5.3MB

Download
memory/1596-66-0x0000000000670000-0x0000000000BC1000-memory.dmp

Filesize
5.3MB

Download
memory/1596-67-0x0000000000670000-0x0000000000BC1000-memory.dmp

Filesize
5.3MB

Download
memory/1596-2-0x0000000000671000-0x00000000006D5000-memory.dmp

Filesize
400KB

Download
memory/1596-1-0x0000000077756000-0x0000000077758000-memory.dmp

Filesize
8KB

Download