amadey | 4bc9589717c9638214386fa4febb05d512130f1ea4fa45dfe4b19e793ec8349e

Analysis

max time kernel
99s
max time network
208s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
Size

1.9MB
MD5

5d4f53ab1cf64d5e32b87c37aebcdc3c
SHA1

803618a4f5d22fff34727c647053a773ef13a614
SHA256

4bc9589717c9638214386fa4febb05d512130f1ea4fa45dfe4b19e793ec8349e
SHA512

69a694a35401ee5bfcb3a3d34090efb0f46e53540c3a59bfc1e5584579b1e66e4e64f9c595c6940c031c0936ddb2fbea77bdac304f7039ca3c9f1bd710da92d6
SSDEEP

49152:JRR0lHLZ6fRL8UIOLBskOkc5scv4fLpNv93NjRYJ:JwlrcJL8vOL3Gv4jrv93NjR

Score

10^/10

amadey evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f5be371b83.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	1400	rundll32.exe
10	2948	rundll32.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f5be371b83.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f5be371b83.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe

Executes dropped EXE 4 IoCs

pid	Process
2016	explorha.exe
2240	f5be371b83.exe
1944	amert.exe
2492	d3cc535524.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Wine	f5be371b83.exe
Key opened	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Wine	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
Key opened	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Wine	explorha.exe

Loads dropped DLL 19 IoCs

pid	Process
2720	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
1376	rundll32.exe
1376	rundll32.exe
1376	rundll32.exe
1376	rundll32.exe
1400	rundll32.exe
1400	rundll32.exe
1400	rundll32.exe
1400	rundll32.exe
2016	explorha.exe
2016	explorha.exe
2016	explorha.exe
2016	explorha.exe
2016	explorha.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2016	explorha.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5be371b83.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\f5be371b83.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000015a2c-141.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2720	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
2016	explorha.exe
2240	f5be371b83.exe
1944	amert.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorgu.job	amert.exe
File created	C:\Windows\Tasks\explorha.job	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2720	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
2016	explorha.exe
2240	f5be371b83.exe
1400	rundll32.exe
1400	rundll32.exe
1400	rundll32.exe
1400	rundll32.exe
1400	rundll32.exe
2360	powershell.exe
1944	amert.exe
2344	chrome.exe
2344	chrome.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2720	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
1944	amert.exe
2492	d3cc535524.exe
2492	d3cc535524.exe
2492	d3cc535524.exe
2492	d3cc535524.exe
2492	d3cc535524.exe
2492	d3cc535524.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
2492	d3cc535524.exe
2492	d3cc535524.exe
2492	d3cc535524.exe
2492	d3cc535524.exe
2492	d3cc535524.exe
2492	d3cc535524.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2016	2720	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe	29
PID 2720 wrote to memory of 2016	2720	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe	29
PID 2720 wrote to memory of 2016	2720	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe	29
PID 2720 wrote to memory of 2016	2720	5d4f53ab1cf64d5e32b87c37aebcdc3c.exe	29
PID 2016 wrote to memory of 1376	2016	explorha.exe	31
PID 2016 wrote to memory of 1376	2016	explorha.exe	31
PID 2016 wrote to memory of 1376	2016	explorha.exe	31
PID 2016 wrote to memory of 1376	2016	explorha.exe	31
PID 2016 wrote to memory of 1376	2016	explorha.exe	31
PID 2016 wrote to memory of 1376	2016	explorha.exe	31
PID 2016 wrote to memory of 1376	2016	explorha.exe	31
PID 1376 wrote to memory of 1400	1376	rundll32.exe	32
PID 1376 wrote to memory of 1400	1376	rundll32.exe	32
PID 1376 wrote to memory of 1400	1376	rundll32.exe	32
PID 1376 wrote to memory of 1400	1376	rundll32.exe	32
PID 2016 wrote to memory of 2240	2016	explorha.exe	34
PID 2016 wrote to memory of 2240	2016	explorha.exe	34
PID 2016 wrote to memory of 2240	2016	explorha.exe	34
PID 2016 wrote to memory of 2240	2016	explorha.exe	34
PID 1400 wrote to memory of 2140	1400	rundll32.exe	35
PID 1400 wrote to memory of 2140	1400	rundll32.exe	35
PID 1400 wrote to memory of 2140	1400	rundll32.exe	35
PID 2016 wrote to memory of 1828	2016	explorha.exe	37
PID 2016 wrote to memory of 1828	2016	explorha.exe	37
PID 2016 wrote to memory of 1828	2016	explorha.exe	37
PID 2016 wrote to memory of 1828	2016	explorha.exe	37
PID 1400 wrote to memory of 2360	1400	rundll32.exe	39
PID 1400 wrote to memory of 2360	1400	rundll32.exe	39
PID 1400 wrote to memory of 2360	1400	rundll32.exe	39
PID 2016 wrote to memory of 2948	2016	explorha.exe	41
PID 2016 wrote to memory of 2948	2016	explorha.exe	41
PID 2016 wrote to memory of 2948	2016	explorha.exe	41
PID 2016 wrote to memory of 2948	2016	explorha.exe	41
PID 2016 wrote to memory of 2948	2016	explorha.exe	41
PID 2016 wrote to memory of 2948	2016	explorha.exe	41
PID 2016 wrote to memory of 2948	2016	explorha.exe	41
PID 2016 wrote to memory of 1944	2016	explorha.exe	42
PID 2016 wrote to memory of 1944	2016	explorha.exe	42
PID 2016 wrote to memory of 1944	2016	explorha.exe	42
PID 2016 wrote to memory of 1944	2016	explorha.exe	42
PID 2016 wrote to memory of 2492	2016	explorha.exe	43
PID 2016 wrote to memory of 2492	2016	explorha.exe	43
PID 2016 wrote to memory of 2492	2016	explorha.exe	43
PID 2016 wrote to memory of 2492	2016	explorha.exe	43
PID 2492 wrote to memory of 2344	2492	d3cc535524.exe	45
PID 2492 wrote to memory of 2344	2492	d3cc535524.exe	45
PID 2492 wrote to memory of 2344	2492	d3cc535524.exe	45
PID 2492 wrote to memory of 2344	2492	d3cc535524.exe	45
PID 2344 wrote to memory of 2088	2344	chrome.exe	46
PID 2344 wrote to memory of 2088	2344	chrome.exe	46
PID 2344 wrote to memory of 2088	2344	chrome.exe	46
PID 2344 wrote to memory of 2172	2344	chrome.exe	48
PID 2344 wrote to memory of 2172	2344	chrome.exe	48
PID 2344 wrote to memory of 2172	2344	chrome.exe	48
PID 2344 wrote to memory of 2172	2344	chrome.exe	48
PID 2344 wrote to memory of 2172	2344	chrome.exe	48
PID 2344 wrote to memory of 2172	2344	chrome.exe	48
PID 2344 wrote to memory of 2172	2344	chrome.exe	48
PID 2344 wrote to memory of 2172	2344	chrome.exe	48
PID 2344 wrote to memory of 2172	2344	chrome.exe	48
PID 2344 wrote to memory of 2172	2344	chrome.exe	48
PID 2344 wrote to memory of 2172	2344	chrome.exe	48
PID 2344 wrote to memory of 2172	2344	chrome.exe	48
PID 2344 wrote to memory of 2172	2344	chrome.exe	48

C:\Users\Admin\AppData\Local\Temp\5d4f53ab1cf64d5e32b87c37aebcdc3c.exe
"C:\Users\Admin\AppData\Local\Temp\5d4f53ab1cf64d5e32b87c37aebcdc3c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\461186416230_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
- - C:\Users\Admin\AppData\Local\Temp\1000042001\f5be371b83.exe
    "C:\Users\Admin\AppData\Local\Temp\1000042001\f5be371b83.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1944
- - C:\Users\Admin\AppData\Local\Temp\1000051001\d3cc535524.exe
    "C:\Users\Admin\AppData\Local\Temp\1000051001\d3cc535524.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d89758,0x7fef6d89768,0x7fef6d89778
        5⤵
        
        PID:2088
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1216 --field-trial-handle=1240,i,12143588759180323721,13989918571340540401,131072 /prefetch:2
        5⤵
        
        PID:2172
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1552 --field-trial-handle=1240,i,12143588759180323721,13989918571340540401,131072 /prefetch:8
        5⤵
        
        PID:2084
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1156 --field-trial-handle=1240,i,12143588759180323721,13989918571340540401,131072 /prefetch:8
        5⤵
        
        PID:2316
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1708 --field-trial-handle=1240,i,12143588759180323721,13989918571340540401,131072 /prefetch:1
        5⤵
        
        PID:648
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2196 --field-trial-handle=1240,i,12143588759180323721,13989918571340540401,131072 /prefetch:1
        5⤵
        
        PID:2808
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2500 --field-trial-handle=1240,i,12143588759180323721,13989918571340540401,131072 /prefetch:2
        5⤵
        
        PID:2116
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2508 --field-trial-handle=1240,i,12143588759180323721,13989918571340540401,131072 /prefetch:2
        5⤵
        
        PID:2372
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3276 --field-trial-handle=1240,i,12143588759180323721,13989918571340540401,131072 /prefetch:1
        5⤵
        
        PID:480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
db77bd6e8c024c3285feb07f63fee94b

SHA1
d3364f9605d1e1e8f6b873b7c076ca5594de44f3

SHA256
b36b5e5359002758c8d98d62110d69d4193312d2528961d2e914160de8e1fe9f

SHA512
598a331160b75c38ed81f69870b5ad2ae7fc729f62691a19c93f9d50edd80b0600e5b4277b65fdacd42d76a3003f6a3abd10e1e5a37ba7214b4f947e03535198

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
5ff1a6cc3ca473c5e0109c522888b0d7

SHA1
819da26631f6cc10719bed15ea243bcb8b76adb3

SHA256
00cc897590aa59db28d6c2c73ed2e2059d7d2b4fe4a93ddaee99082286c8df69

SHA512
785621f415e5c767b2ccb0fa34d504c386ff81ef57f6ee3510be32e3fa0cfc470899385d32536765b75c9b4e01512b27c1576ad924fbff9c1e8b5e4f3b4920a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
d0908fb5a8937af3dcb71bd3f0a4ebeb

SHA1
0475b34d2b5b6e0c452915a03ef03003680f4e75

SHA256
07348b4f4194ef4f6929c3f2b2a18dd32d9c36c769eb161c3aae4c06102815ac

SHA512
ef91186c7e39a1154d1388f79eb81fd12bea966d6228870418ba77f8f1bd63f54a1bb0fa39299e2b035fe4a2a491995cdee5ac8bff6b512dc00a3371565f4a43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.9MB

MD5
5d4f53ab1cf64d5e32b87c37aebcdc3c

SHA1
803618a4f5d22fff34727c647053a773ef13a614

SHA256
4bc9589717c9638214386fa4febb05d512130f1ea4fa45dfe4b19e793ec8349e

SHA512
69a694a35401ee5bfcb3a3d34090efb0f46e53540c3a59bfc1e5584579b1e66e4e64f9c595c6940c031c0936ddb2fbea77bdac304f7039ca3c9f1bd710da92d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\f5be371b83.exe

Filesize
2.2MB

MD5
8d449a7628ca55419a62364f8e1be1a0

SHA1
2549c6ca6357b18f4ca794448a054b39afad4827

SHA256
fd13d7cf78df7c365f1780276669ab4cc6cbad531f9cdc60d1dcb4e9eec70801

SHA512
33ff7ae8dd0711c8309730d40b6d69f84f75ccc5e6e9626cee6ba317bb409cd176ecfe93a13ec43ff94653707fa28dc66eed53a9bb3870915d427388a1c2b7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe

Filesize
1.8MB

MD5
8d85566c58ad4afea97ae742e5286a1a

SHA1
b49283982508b4db081825a22fd7d97c7c97b3a4

SHA256
0af7203b220761cde1e65317b69e6e6304202fbb3ac0006cb3e3fdc23ef232f2

SHA512
c8f07d75a1aafacf813ee0e4d2e9aaff2a32a3577286ea27f3bad1e0bdf69ff649af7923c2bda90235edfcef3a291fc8cd15ae35ca76a4ffc89cf8cfa99f58b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000051001\d3cc535524.exe

Filesize
1.1MB

MD5
de0d994c960dd02f1082bd95dc037451

SHA1
e019cd20190233de78175d23ac8f756de0326734

SHA256
b39a510ca6f284db9d313a4020eddd51e76bd6a5db5b8af158d04649f3d926f1

SHA512
caf7077e26f0f5006fcd093f1f3ef58a08bc55dd1271c45940a83fe2bb127ede1f6c0f4e4a7ebc9c7b5479276c8e0169272865228050adef463f55b3c9788640

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4397.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4505.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
memory/1944-145-0x00000000001A0000-0x0000000000651000-memory.dmp

Filesize
4.7MB

Download
memory/1944-165-0x00000000001A0000-0x0000000000651000-memory.dmp

Filesize
4.7MB

Download
memory/2016-34-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2016-45-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-27-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-28-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-29-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/2016-30-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2016-31-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2016-32-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/2016-33-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2016-102-0x0000000009E00000-0x000000000A2D7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-35-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2016-37-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2016-36-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/2016-38-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2016-39-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/2016-40-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2016-43-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/2016-41-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2016-44-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/2016-183-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-46-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2016-47-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-206-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-61-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-296-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-82-0x0000000006190000-0x0000000006724000-memory.dmp

Filesize
5.6MB

Download
memory/2016-325-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-84-0x0000000006190000-0x0000000006724000-memory.dmp

Filesize
5.6MB

Download
memory/2016-169-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-338-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-146-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-358-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-361-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-136-0x0000000006230000-0x00000000066E1000-memory.dmp

Filesize
4.7MB

Download
memory/2016-126-0x0000000006190000-0x0000000006724000-memory.dmp

Filesize
5.6MB

Download
memory/2016-365-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-384-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2016-103-0x00000000013D0000-0x00000000018A7000-memory.dmp

Filesize
4.8MB

Download
memory/2240-96-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2240-83-0x0000000000F70000-0x0000000001504000-memory.dmp

Filesize
5.6MB

Download
memory/2240-98-0x0000000003110000-0x0000000003112000-memory.dmp

Filesize
8KB

Download
memory/2240-97-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download
memory/2240-93-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/2240-94-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2240-104-0x0000000000F70000-0x0000000001504000-memory.dmp

Filesize
5.6MB

Download
memory/2240-95-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2240-388-0x0000000000F70000-0x0000000001504000-memory.dmp

Filesize
5.6MB

Download
memory/2240-92-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/2240-91-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/2240-133-0x0000000000F70000-0x0000000001504000-memory.dmp

Filesize
5.6MB

Download
memory/2240-89-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2240-88-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/2240-87-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2240-366-0x0000000000F70000-0x0000000001504000-memory.dmp

Filesize
5.6MB

Download
memory/2240-362-0x0000000000F70000-0x0000000001504000-memory.dmp

Filesize
5.6MB

Download
memory/2240-359-0x0000000000F70000-0x0000000001504000-memory.dmp

Filesize
5.6MB

Download
memory/2240-86-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2240-339-0x0000000000F70000-0x0000000001504000-memory.dmp

Filesize
5.6MB

Download
memory/2240-167-0x0000000000F70000-0x0000000001504000-memory.dmp

Filesize
5.6MB

Download
memory/2240-326-0x0000000000F70000-0x0000000001504000-memory.dmp

Filesize
5.6MB

Download
memory/2240-85-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/2240-320-0x0000000000F70000-0x0000000001504000-memory.dmp

Filesize
5.6MB

Download
memory/2240-177-0x0000000000F70000-0x0000000001504000-memory.dmp

Filesize
5.6MB

Download
memory/2240-90-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/2240-210-0x0000000000F70000-0x0000000001504000-memory.dmp

Filesize
5.6MB

Download
memory/2240-198-0x0000000000F70000-0x0000000001504000-memory.dmp

Filesize
5.6MB

Download
memory/2360-170-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2360-154-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2360-148-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2360-147-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2360-166-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/2360-168-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2720-8-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2720-14-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/2720-12-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2720-10-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2720-11-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2720-7-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2720-17-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/2720-13-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/2720-5-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/2720-9-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2720-6-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2720-25-0x0000000000260000-0x0000000000737000-memory.dmp

Filesize
4.8MB

Download
memory/2720-2-0x0000000000260000-0x0000000000737000-memory.dmp

Filesize
4.8MB

Download
memory/2720-16-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2720-3-0x00000000026D0000-0x00000000026D2000-memory.dmp

Filesize
8KB

Download
memory/2720-4-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/2720-1-0x00000000779C0000-0x00000000779C2000-memory.dmp

Filesize
8KB

Download
memory/2720-0-0x0000000000260000-0x0000000000737000-memory.dmp

Filesize
4.8MB

Download