echelon | hxxps://oxy[.]st/d/EPme

General

Target

https://oxy.st/d/EPme

Score

10^/10

echelon spyware stealer suricata

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

279 api.ipify.org
280 ip-api.com
284 api.ipify.org
285 api.ipify.org
278 api.ipify.org

flow	ioc
279	api.ipify.org
280	ip-api.com
284	api.ipify.org
285	api.ipify.org
278	api.ipify.org

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeAkrien Premium.exeAkrien Premium.exe

pid	process
1124	chrome.exe
1124	chrome.exe
2712	chrome.exe
2712	chrome.exe
1496	chrome.exe
1496	chrome.exe
4252	chrome.exe
4252	chrome.exe
4788	chrome.exe
4788	chrome.exe
4828	chrome.exe
4828	chrome.exe
4928	chrome.exe
4928	chrome.exe
5072	chrome.exe
5072	chrome.exe
5112	chrome.exe
5112	chrome.exe
4392	Akrien Premium.exe
4392	Akrien Premium.exe
2292	Akrien Premium.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

chrome.exe

pid	process
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Akrien Premium.exeAkrien Premium.exe

description pid process

Token: SeDebugPrivilege 4392 Akrien Premium.exe
Token: SeDebugPrivilege 2292 Akrien Premium.exe

description	pid	process
Token: SeDebugPrivilege	4392	Akrien Premium.exe
Token: SeDebugPrivilege	2292	Akrien Premium.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

chrome.exe

pid	process
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

chrome.exe

pid	process
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2712 wrote to memory of 2764	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 2764	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1296	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1124	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1124	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe
PID 2712 wrote to memory of 1216	2712	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://oxy.st/d/EPme
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffab174f50,0x7fffab174f60,0x7fffab174f70
2⤵
PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1956 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1544 /prefetch:2
2⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:8
2⤵
PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
2⤵
PID:3744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
2⤵
PID:584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4380 /prefetch:8
2⤵
PID:3736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
2⤵
PID:2504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
2⤵
PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
2⤵
PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
2⤵
PID:2100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
2⤵
PID:1336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7312 /prefetch:8
2⤵
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7456 /prefetch:8
2⤵
PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7372 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6724 /prefetch:8
2⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6672 /prefetch:8
2⤵
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5668 /prefetch:8
2⤵
PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7436 /prefetch:8
2⤵
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7392 /prefetch:8
2⤵
PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6688 /prefetch:8
2⤵
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
2⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
2⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
2⤵
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
2⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
2⤵
PID:4676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7292 /prefetch:1
2⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6488 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
2⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5308 /prefetch:8
2⤵
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,6266607710932807876,12237180404709185367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8
2⤵
PID:4260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4128

C:\Users\Admin\Desktop\Akrien Premium.exe
"C:\Users\Admin\Desktop\Akrien Premium.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Users\Admin\Desktop\Akrien Premium.exe
"C:\Users\Admin\Desktop\Akrien Premium.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies
MD5
33119422a72a26e0628c7dc5dc6dfaa9

SHA1
3975e2d50185a2abfb9180f15c7dc84a4b8d8cb3

SHA256
3eb8ae71dbceb940954c12da4c6a2dedccdd1e9799c3fe12af370036c86b86ee

SHA512
1c03ed87a7221bb944b8276c74d79efa619394d25503bffcfd281c08c8b59f58c025c95e203dfceb879ef1b0121aab7d07728f47d08efabeb5451f6ab74ed4c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
MD5
9fcba7afcb6672ed0be5d775966739c8

SHA1
5231a457b10ea3320f095a107970801a430130e5

SHA256
a76aae38a2c474814be2e022762769b4bb63ee5a97c019355a7d6df0f0310364

SHA512
b8a3326682745a3f5836d88d6f6eea45082d1ef1aca48946882a1b28adb0982a4b186b0e7330b225a975244a275b8c43fb4a2612f81979c22a1a0eb3777e16b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
MD5
7e3dd91feae62b537d65b3969987f404

SHA1
46e5c9fd2bc65b05fde3e375d14fcb4e8e968ff0

SHA256
a90b79abf897a9c3bdacfffe8910dd2b0f1daf3f7156de25af3ac84583a9e562

SHA512
e6fb37d45593b6e4a94347624f8aad3b3bf5f1a33a332929ca3f1ed01eb5f90bc2276bef4abc1082175c5640f6f0a566820be9b0820e81910af899418660a1ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Akrien Premium.exe.log
MD5
558febd82d226c394e00d73313f7f300

SHA1
03bd1577bcfbb657d910df484f9a2d41353d6e89

SHA256
88e7f0083ee6ae8debed8f2a9b7a5c33df34b3c025ea9e46d7700334f9f9dcd3

SHA512
8778cacec666bfe73ae6c9f6fad1d55c038944e139f76ffa0a2d338b329d84e06f74977c1780dd439c0188b77cc15fe059e74eb02770247e592af269b398fd62

Download Submit
\??\pipe\crashpad_2712_UZXZOPTNYNMQLDCP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2292-127-0x000001BD699E0000-0x000001BD699E2000-memory.dmp

Filesize
8KB

Download
memory/4392-116-0x0000024513B20000-0x0000024513B21000-memory.dmp

Filesize
4KB

Download
memory/4392-118-0x000002452E130000-0x000002452E1A1000-memory.dmp

Filesize
452KB

Download
memory/4392-119-0x0000024513D50000-0x0000024513D52000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads