a5eacdb3e2763a06f85ad4066d82f1c34a6a8abe80dfd826647926f0e8f19124

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Undetek/Undetek.exe
Size

5.3MB
MD5

bee9c1a3bcc72334970236790dc749ec
SHA1

98ecbaaa53622b0b931febd83b98f174298a7481
SHA256

5649811caa051058a23417555334683348438adbebd4ff663bc0dcb49f25df5e
SHA512

eafdbe2484c254b4cb4e33fbbfd09de291ea2ce38e8faf5c92f5e8257d890faf5e2f739b9a2f43a5751ceced056bcdca769c6049e131989f2d70635cbaf1e4d5
SSDEEP

98304:bxbWJlNLYzbmx8ffY+4fQ6HKJevY7EHd8+evl1WygmtSXqsdcdIE0Nb:sZLCblHYnQqKcgYHd8+eHWqtEPL5

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Undetek.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Undetek.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Undetek.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Undetek.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Undetek.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Undetek.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4648-0-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp	themida
behavioral2/memory/4648-3-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp	themida
behavioral2/memory/4648-4-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp	themida
behavioral2/memory/4648-2-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp	themida
behavioral2/memory/4648-5-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp	themida
behavioral2/memory/4648-6-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp	themida
behavioral2/memory/4648-7-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp	themida
behavioral2/memory/4648-9-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp	themida
behavioral2/memory/4648-13-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp	themida
behavioral2/memory/4648-170-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp	themida
behavioral2/memory/4648-180-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Undetek.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Undetek.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Undetek.exe

pid process

4648 Undetek.exe
4648 Undetek.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Undetek.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

pid	process
4648	Undetek.exe
4648	Undetek.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642378647124168"	chrome.exe

Modifies registry class 2 IoCs

Processes:

svchost.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2447855248-390457009-3660902674-1000\{1878F5CE-A425-4641-9322-026E2D6E6305}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2447855248-390457009-3660902674-1000\{2BB6926F-93EB-4A14-9119-65D3ABDAC3AC}	chrome.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

chrome.exe

pid process

3680 chrome.exe
3680 chrome.exe
3680 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3680 chrome.exe
3680 chrome.exe
3680 chrome.exe
3680 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3680 wrote to memory of 2256	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 2256	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 3396	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 2528	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 2528	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe
PID 3680 wrote to memory of 1380	3680	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Undetek\Undetek.exe
"C:\Users\Admin\AppData\Local\Temp\Undetek\Undetek.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd4062ab58,0x7ffd4062ab68,0x7ffd4062ab78
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1936,i,13634321045833577573,1909250021770330228,131072 /prefetch:2
2⤵
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1936,i,13634321045833577573,1909250021770330228,131072 /prefetch:8
2⤵
PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1936,i,13634321045833577573,1909250021770330228,131072 /prefetch:8
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=1936,i,13634321045833577573,1909250021770330228,131072 /prefetch:1
2⤵
PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1936,i,13634321045833577573,1909250021770330228,131072 /prefetch:1
2⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3664 --field-trial-handle=1936,i,13634321045833577573,1909250021770330228,131072 /prefetch:1
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1936,i,13634321045833577573,1909250021770330228,131072 /prefetch:8
2⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1936,i,13634321045833577573,1909250021770330228,131072 /prefetch:8
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1936,i,13634321045833577573,1909250021770330228,131072 /prefetch:8
2⤵
PID:2588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4896 --field-trial-handle=1936,i,13634321045833577573,1909250021770330228,131072 /prefetch:8
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1936,i,13634321045833577573,1909250021770330228,131072 /prefetch:8
2⤵
PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4952 --field-trial-handle=1936,i,13634321045833577573,1909250021770330228,131072 /prefetch:1
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4608 --field-trial-handle=1936,i,13634321045833577573,1909250021770330228,131072 /prefetch:8
2⤵
PID:3064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1936,i,13634321045833577573,1909250021770330228,131072 /prefetch:8
2⤵
- Modifies registry class
PID:4992

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2276

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
480B

MD5
ec2a273eca99822f9183b2b9fe0f85a5

SHA1
ffa992e1823b2ba161bebef24c49efb1878f400f

SHA256
c8b7b7a0023729d8414b5eb671b04a7e0eeef28226a46fa818bef6fd7d641c00

SHA512
aead4986b466ac99dd204e06c745bc98185e636dd875fba968f6aada6d904c2d34ec09265d7429315e58c5ff229d9c2a1171b6046be11ffd77536f4838e496fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
21e6b50f705941aff481a6d7d665f3c9

SHA1
8a63c5ae3c6ac8a6fe690fde4a21295bba717add

SHA256
98e55a5ed78f7046519cfaf6521bf4d7d14a7b76f33a9a3a80faafb17ab39ce6

SHA512
d08aed416d9a590c08fbbd9ce63f291ccea71ca9735ab28fe462cf3f5dd55e6db56168300b636aeae9dd4dac10904d0feaaa589ba8ab871d8bc960f67e4525ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
8686090136c07ac9aa828505b7564d45

SHA1
929f4b17ddc71489e6639e61d6ec1f1af33c4c26

SHA256
9d93a220f54c38292351edc575dd314d8426806c9f18014a2dbb0ccb1d4bbf8f

SHA512
ee5c89f852cb5dd0adc24fae2ea0eae5a5afefb6f6c7f94e26f5602e53697c9d360725ccfd9c828fe01c8ddd4a60f9961b186bea352dfe164183232c8c5608b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
7dc83fcb04cf11be9ab2e4aeb31b4428

SHA1
72cbd6a68738901585babd0f70ec083f35ac8b63

SHA256
e5d21de8ae3faad1b189f30ca5d6aa70eee642dfa351f05e3aa56e83655faf49

SHA512
74544529817275441bd04ba5798451230d5aa4ae862da6f4ee23efaf3098dbc304857968ff30aa4d2398afce047ae5fd4025139044ff1fea007cdaf35fc472bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
5e1103a45465878667f6c8ac291c91cb

SHA1
37ebf9fb05b5ee9e5a13a6b5fdb07efc2db37108

SHA256
96243a74d755a6300685b6f00ab53073347c6d3b96c975895e85408846073070

SHA512
4217eefbc3fbd1b24f8e53c48675be9d2533e00d101cb6522b311e37272aa870048b171892573716eddb3cc88fe328b83ca17e6521df9117fbe9bb2ec7973e37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
91a225c6a595fdd3369ad2ee88279c82

SHA1
c674ac8d0fc17d4334262ffaf1caf367cee3cf3d

SHA256
8acefd92a4542c9a9f391866d1abf46071ee0faedc99d0ba1329b2f4fb1559bb

SHA512
8669e4a9e4084c8549a94842a90cfde1311d2009c1bd83f90a2ccfc2cee44c87ea37bc24d855948d216f52aa65edcfc272961539edb3cc2e2d2e8b69e3db816e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c7eade03-feda-4745-9bf0-e69cc63d6a56.tmp
Filesize
7KB

MD5
e1eec92f8fcfdba0fef824c61ef91fb4

SHA1
6e408f92d186c59d1b3004999015c2636d22779c

SHA256
adb40910f3698c51690c565b9674e9e383ec098f89a4b637aa3efe9db0026428

SHA512
90a2d821f3823814b65cd0e8e7b11e5a6490a5bc25515d81b9091d6fa6c09d0a3d01ddecb0484b2fb8e38057c860912890ebd76664afdd68ea6b747ab4b59579

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
8e056de9c36690d8248742592b9e126f

SHA1
71a78897004837e9ac0e0df3e55e39510ec4aa4b

SHA256
a2be0896eb01131a6a96141b04a0ac0c87f9fde3d2c22b29fbdc97fb2aef03ab

SHA512
eced241114ea64ea595b85a45d41002dcee166cee4bc24d31c5d1a7239f0a05873309247bd918d660beb4339e506591be312255d3eb39bb6d09658fb32f39ef3

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4648-8-0x00007FFD603F0000-0x00007FFD605E5000-memory.dmp

Filesize
2.0MB

Download
memory/4648-2-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp

Filesize
14.4MB

Download
memory/4648-0-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp

Filesize
14.4MB

Download
memory/4648-9-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp

Filesize
14.4MB

Download
memory/4648-7-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp

Filesize
14.4MB

Download
memory/4648-6-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp

Filesize
14.4MB

Download
memory/4648-13-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp

Filesize
14.4MB

Download
memory/4648-5-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp

Filesize
14.4MB

Download
memory/4648-11-0x00007FFD603F0000-0x00007FFD605E5000-memory.dmp

Filesize
2.0MB

Download
memory/4648-170-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp

Filesize
14.4MB

Download
memory/4648-180-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp

Filesize
14.4MB

Download
memory/4648-181-0x00007FFD603F0000-0x00007FFD605E5000-memory.dmp

Filesize
2.0MB

Download
memory/4648-4-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp

Filesize
14.4MB

Download
memory/4648-3-0x00007FF79D750000-0x00007FF79E5B4000-memory.dmp

Filesize
14.4MB

Download
memory/4648-1-0x00007FFD60490000-0x00007FFD60492000-memory.dmp

Filesize
8KB

Download