hxxps://cdn[.]discordapp[.]com/attachments/1266121157862752356/1276208532223557734/Proton[.]exe?ex=66ca02d0&is=66c8b150&hm=a8be520dcb02b8e43b6adac5062ad663e1b9a11a2fbbac52407656984d4c2030&

Analysis

max time kernel
181s
max time network
289s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
23/08/2024, 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1266121157862752356/1276208532223557734/Proton.exe?ex=66ca02d0&is=66c8b150&hm=a8be520dcb02b8e43b6adac5062ad663e1b9a11a2fbbac52407656984d4c2030&

Score

9^/10

defense_evasion discovery evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Proton.exe

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\YbJsAqfPxTPQKSEtOxqX\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\YbJsAqfPxTPQKSEtOxqX"	oiYnr.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NalDrv\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\NalDrv.sys"	7K5iD.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\otsNvsyYuYgsNrGbQayKN\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\otsNvsyYuYgsNrGbQayKN"	sDQ0X.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LOnDZpUctDmgCtaXyTFWQUreeR\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\LOnDZpUctDmgCtaXyTFWQUreeR"	nopfL.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Proton.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Proton.exe

Executes dropped EXE 5 IoCs

pid	Process
3088	Proton.exe
2732	sDQ0X.exe
3140	nopfL.exe
2092	oiYnr.exe
3032	7K5iD.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000600000002aa57-32.dat	themida
behavioral1/memory/3088-55-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/3088-57-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/3088-58-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/3088-59-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/3088-62-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/3088-82-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/3088-111-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/3088-153-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/3088-201-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Proton.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3088	Proton.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\Chair.json	Proton.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\sDQ0X.exe	Proton.exe
File created	C:\Windows\SoftwareDistribution\Download\nopfL.exe	Proton.exe
File created	C:\Windows\SoftwareDistribution\Download\7K5iD.sys	Taskmgr.exe
File created	C:\Windows\SoftwareDistribution\Download\oiYnr.exe	Proton.exe
File created	C:\Windows\SoftwareDistribution\Download\7K5iD.exe	Taskmgr.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SoftwareDistribution\Download\hOogK.sys	Proton.exe
File created	C:\Windows\SoftwareDistribution\Download\pcoUI.sys	Proton.exe
File created	C:\Windows\SoftwareDistribution\Download\Pm8wg.sys	Proton.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Proton.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2296	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133689263045840239"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Proton.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
232	chrome.exe
232	chrome.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe
3088	Proton.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
2732	sDQ0X.exe
3140	nopfL.exe
2092	oiYnr.exe
3032	7K5iD.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
232	chrome.exe
232	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
232	chrome.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe
4968	Taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3088	Proton.exe
2732	sDQ0X.exe
3140	nopfL.exe
2092	oiYnr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 4600	232	chrome.exe	81
PID 232 wrote to memory of 4600	232	chrome.exe	81
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4068	232	chrome.exe	82
PID 232 wrote to memory of 4560	232	chrome.exe	83
PID 232 wrote to memory of 4560	232	chrome.exe	83
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84
PID 232 wrote to memory of 4356	232	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1266121157862752356/1276208532223557734/Proton.exe?ex=66ca02d0&is=66c8b150&hm=a8be520dcb02b8e43b6adac5062ad663e1b9a11a2fbbac52407656984d4c2030&
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc9f4cc40,0x7fffc9f4cc4c,0x7fffc9f4cc58
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,3172088847591524542,5369384029693069368,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1700,i,3172088847591524542,5369384029693069368,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,3172088847591524542,5369384029693069368,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2388 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,3172088847591524542,5369384029693069368,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,3172088847591524542,5369384029693069368,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4840,i,3172088847591524542,5369384029693069368,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4832,i,3172088847591524542,5369384029693069368,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5180,i,3172088847591524542,5369384029693069368,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5392,i,3172088847591524542,5369384029693069368,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4132
- C:\Users\Admin\Downloads\Proton.exe
  "C:\Users\Admin\Downloads\Proton.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\Proton.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    PID:640
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\Downloads\Proton.exe" MD5
      4⤵
      PID:3104
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:4816
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3776
- - C:\Windows\SoftwareDistribution\Download\sDQ0X.exe
    "C:\Windows\SoftwareDistribution\Download\sDQ0X.exe" -map C:\Windows\SoftwareDistribution\Download\hOogK.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of SetWindowsHookEx
    PID:2732
- - C:\Windows\SoftwareDistribution\Download\nopfL.exe
    "C:\Windows\SoftwareDistribution\Download\nopfL.exe" -map C:\Windows\SoftwareDistribution\Download\pcoUI.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of SetWindowsHookEx
    PID:3140
- - C:\Windows\SoftwareDistribution\Download\oiYnr.exe
    "C:\Windows\SoftwareDistribution\Download\oiYnr.exe" -map C:\Windows\SoftwareDistribution\Download\Pm8wg.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of SetWindowsHookEx
    PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe >nul 2>&1
    3⤵
    PID:4820
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM WmiPrvSE.exe
      4⤵
      Kills process with taskkill
      PID:2296
- - C:\Windows\System32\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    3⤵
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4968
  - - C:\Windows\SoftwareDistribution\Download\7K5iD.exe
      "C:\Windows\SoftwareDistribution\Download\7K5iD.exe" -map C:\Windows\SoftwareDistribution\Download\7K5iD.sys
      4⤵
      Sets service image path in registry
      Executes dropped EXE
      Suspicious behavior: LoadsDriver
      PID:3032

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0e755a2e-de1a-4e25-9e71-a2df78d4b017.tmp

Filesize
8KB

MD5
b4bf64d567ff4c0de4e8160ac9cdea60

SHA1
4f0d2b5e9d0e3f13e80eb520e4e082a8835e4e03

SHA256
366d0794aa052efa05a8219c9aa74df0667e36b73aac02f2a97825cb32b640c4

SHA512
697afd98f078c22c14769c2bd14830192aa5058b8a98d064b9eb783f02dfac76140d767ae0196ee7c822119efb0c0acd00f0992e318f33c50c3cf6a94b9dc2dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b59aa21dfa0e0bad3215a144a705bcc7

SHA1
4fb4fec53fdc95574c5cb556bf387ea091925506

SHA256
0bae17702fee9a201b9545da5936c2d3f47dcceefffc0fbdbb661423e14189a0

SHA512
35c311cec5561842a765950ba545e002aadd75300bc929d69739d74585ec5239e4d9fac40328e8ea0f5b1ec6d3b5bf97ad63d83f7e1440080488f1267d5f4f41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8a4e68abdd22f9ca0c470831d24a87cf

SHA1
b19b74cff0db4a0706812129bf30d43c60e53be4

SHA256
7e42172753c0ea16140dc38dd95c3e25fef96ad07a7e7494499395bf7b2e34e3

SHA512
8917999b17cfe5e98d26c5c107c6cb67a05224b057118e5dc29d537716e2825f99dae95a43c5efbe92cea0c619b9e9d61d684bc530f1d7adb7dc525c46fdfe2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
341facb8da85b10b35ae0093399c5ec9

SHA1
25b1b814b73de351d30e6fd122caea741c1e17b5

SHA256
291091ee275c18a2ee485597ae0d43da43ac8259289750e42d9dc792b523400f

SHA512
679994562352fa8128d6c5af0c1216699d9214bfebc6503c46f8be3cf2d0dbe05208205b38625ccbe2da14e0d0e0ff95d522c64bbec6c80a364a931f2fcaa9fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eb59d0dc90e0ead754886c8d627211cd

SHA1
ef4a788bd17ca26ed788d0bbf8d547559cfda127

SHA256
6960fbffdc956bfefd1aa5b80e7ae66c5fa0e9224506e6464e3dea4a58799ccd

SHA512
14e1ed97323ba516fdbeedcde202482775a13e83ecb27cc5f9c14b2c62afac861108d8c020386d4a5ee34506aba4e99c70580cafbf40770ae92bfd46289bd83a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5adf8a787a250276648c3b16907c1307

SHA1
5126f2d6674dbfee88cb77943789814d57474b1d

SHA256
22368679e3ce7056f1b083b7c38656d28baedd9f2c709c9a69afcaf35fb6165e

SHA512
a8945ce1467d22f96e677930fa64a476e2d70cc019288f3cc3da414f429359fec7776956f1f1a63ce7e2a72d95cad10c6d0d1c3838495d56da6e966b1d600070

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1bab509c80bd381fe5c22b2c125f5ffc

SHA1
4af76d4a775f59cceb906e7e7f4d84a347091f7a

SHA256
4a24287d5f80ad7f80686418c0d01f0d7cd4bfa6b7517b5173d02c8aad50a201

SHA512
375828ff8a46a79ee6533823504b399179622ecc3dcb5d4cbed91a1d2e6e9767a1403184250a3a25b52f6ca3c9dd8376e5660f45b4d4fe8d0487020df3530875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
e9dec472ddd716b0c912d9186a4d9a96

SHA1
851405dacfff3030c90a24fc5122b6855eab57d5

SHA256
cc2f69d618fca6d68c179b7a2724032ffbb5b14874b008b2e96b441c053bb2bc

SHA512
f98a9959057ff998ac0812ab9486d78e53f95fec37859eb7e9e93c504e3998990d6ea1f6592dffbe490995ab39c661a088050387ce7f379fb24c9767a77223c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
83453f0142b04382ce8116804bb0f443

SHA1
957b09e5b085e56e81ddb20866ee4bd330234c68

SHA256
67d47a149381d4f24553c018bc348e88c58245086792f5dc07ff7c11cc57c9cf

SHA512
7437136cc5b086cdb4684bce0d5a2c5d53b8a7f0b79b1d8f4a203d983d40e668f365c53e1ee019f9163bad855fdd2b6b8ad65869516d58ebb90c6b3655679cc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
76214401c1df791c6032f2637dc8aa7c

SHA1
eac6243df5d4506af8bc46fd264129a75c6cade2

SHA256
398f6d65cf14e7be23609268e4d38af05e3ae996545ace6f28500d345c665a6a

SHA512
92b16205242fdef2a81b71994cb8c3b7f529a65253d5905d91a00dbe69edef4b91079dd9143506906224745a51f2af303dae518d8ebff5765ebc5e42d6d1cf88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
565c6f55306b3ea72648be119e3d6fa4

SHA1
1620853048da8707113f89d0bf267acfc3baeada

SHA256
c5047e828454238307f76832eec556ef7d2b152916a393d5efbb548d75132e4f

SHA512
bef723fb046b4ce789841787165ee903970d1f10660dcfe4b92aac3930064c0b6a0b53a6b84d1f5041526000a59ec61ee3205f5f869a1545430734aa262c0ebc

Download Submit
C:\Users\Admin\Downloads\Proton.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 138443.crdownload

Filesize
5.9MB

MD5
7b36a62976cae81fc3e773895a2f09eb

SHA1
e7c4f3d66ccc6fd89d0fce19cf971fc7f1c12b4d

SHA256
a60f629e541d8a51838e40cb1d207c79ff22b6f59cfb8c4af6496f23e86bfa69

SHA512
bca0bd2f8e8ee45dd6aac5d217ed960a1f066b7e3219dbad1ae7965a11613b0177e43bbeea89fec1f8675a926438a59348223b13d55657ee6bb38d7774897750

Download Submit
C:\Windows\SoftwareDistribution\Download\7K5iD.exe

Filesize
260KB

MD5
083c6c05ac5875d0b6e997e894ca07bc

SHA1
69d0116998e8a70db5852fccb86d45975ce88a9a

SHA256
03aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca

SHA512
fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf

Download Submit
C:\Windows\SoftwareDistribution\Download\sDQ0X.exe

Filesize
143KB

MD5
94c281a07f2292e97b30dbc917b48745

SHA1
056e79947f2f87fa2d2c8ce2d3c5a58262296d24

SHA256
6e92e43f2aedb5157d1f4f192eb8fd2c27e445c39b65dd7cca1c9573d0562a26

SHA512
81fd6ed827a68c757247ee7dc9b37847162466adfa29f7c80d99e2f56035614581471566569e16e2d71308982f3756214f2bdada9580e3589ed99bb0f003a8d6

Download Submit
memory/3088-89-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-63-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-66-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-77-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-78-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-79-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-80-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-81-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-83-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-82-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/3088-85-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-64-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-91-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-60-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-62-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/3088-111-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/3088-61-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-153-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/3088-55-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/3088-65-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-56-0x00007FFFD8C47000-0x00007FFFD8C49000-memory.dmp

Filesize
8KB

Download
memory/3088-57-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/3088-58-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/3088-202-0x00007FFFD8BA0000-0x00007FFFD8DA9000-memory.dmp

Filesize
2.0MB

Download
memory/3088-201-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/3088-59-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/4968-155-0x00000219EDAB0000-0x00000219EDB0A000-memory.dmp

Filesize
360KB

Download
memory/4968-178-0x00000219F4190000-0x00000219F4191000-memory.dmp

Filesize
4KB

Download
memory/4968-177-0x00000219F4190000-0x00000219F4191000-memory.dmp

Filesize
4KB

Download
memory/4968-176-0x00000219F4190000-0x00000219F4191000-memory.dmp

Filesize
4KB

Download
memory/4968-175-0x00000219F4190000-0x00000219F4191000-memory.dmp

Filesize
4KB

Download
memory/4968-173-0x00000219F4190000-0x00000219F4191000-memory.dmp

Filesize
4KB

Download
memory/4968-179-0x00000219F4190000-0x00000219F4191000-memory.dmp

Filesize
4KB

Download
memory/4968-174-0x00000219F4190000-0x00000219F4191000-memory.dmp

Filesize
4KB

Download
memory/4968-167-0x00000219F4190000-0x00000219F4191000-memory.dmp

Filesize
4KB

Download
memory/4968-168-0x00000219F4190000-0x00000219F4191000-memory.dmp

Filesize
4KB

Download
memory/4968-169-0x00000219F4190000-0x00000219F4191000-memory.dmp

Filesize
4KB

Download
memory/4968-161-0x00000219EDAB0000-0x00000219EDB0A000-memory.dmp

Filesize
360KB

Download
memory/4968-157-0x00000219EDAB0000-0x00000219EDB0A000-memory.dmp

Filesize
360KB

Download
memory/4968-156-0x00000219EDB20000-0x00000219EDB21000-memory.dmp

Filesize
4KB

Download