amadey | 268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d

Analysis

max time kernel
23s
max time network
306s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe
Size

2.9MB
MD5

024817797cc4e980f696067e3818c847
SHA1

241c4aa43e4f2709f450be63588aa5d8302a2266
SHA256

268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d
SHA512

b00973e2640e28003250729789422dd585038c664c1f1751be8eb00c08af6c05ea72ec3245814542731c8297d4a1b5ac8fc60a4faf389d6200b5c2713a7c96d0
SSDEEP

49152:5OQEPpQ3zNhl95Cwk64jOzP+5PCHrZofymYtCe/tZ:AQEPpQ3phluwk64jOzP+56HrZofym0nT

Score

10^/10

amadey risepro evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exeexplorha.exeamert.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

amert.exe268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Executes dropped EXE 3 IoCs

Processes:

explorha.exeamert.exea263ac4aff.exe

pid process

2416 explorha.exe
1612 amert.exe
1568 a263ac4aff.exe

pid	process
2416	explorha.exe
1612	amert.exe
1568	a263ac4aff.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

amert.exe268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Wine	268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Wine	explorha.exe

Loads dropped DLL 4 IoCs

Processes:

268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exeexplorha.exe

pid	process
2280	268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe
2280	268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe
2416	explorha.exe
2416	explorha.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\a263ac4aff.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000055001\\a263ac4aff.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000055001\a263ac4aff.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exeexplorha.exeamert.exe

pid process

2280 268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe
2416 explorha.exe
1612 amert.exe

Drops file in Windows directory 2 IoCs

Processes:

268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exeexplorha.exeamert.exechrome.exe

pid process

2280 268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe
2416 explorha.exe
1612 amert.exe
1384 chrome.exe
1384 chrome.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1384	chrome.exe
Token: SeShutdownPrivilege	1384	chrome.exe
Token: SeShutdownPrivilege	1384	chrome.exe
Token: SeShutdownPrivilege	1384	chrome.exe
Token: SeShutdownPrivilege	1384	chrome.exe
Token: SeShutdownPrivilege	1384	chrome.exe
Token: SeShutdownPrivilege	1384	chrome.exe
Token: SeShutdownPrivilege	1384	chrome.exe
Token: SeShutdownPrivilege	1384	chrome.exe
Token: SeShutdownPrivilege	1384	chrome.exe
Token: SeShutdownPrivilege	1384	chrome.exe
Token: SeShutdownPrivilege	1384	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exeamert.exea263ac4aff.exechrome.exe

pid	process
2280	268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe
1612	amert.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe
1384	chrome.exe
1384	chrome.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe

Suspicious use of SendNotifyMessage 43 IoCs

Processes:

a263ac4aff.exechrome.exe

pid	process
1568	a263ac4aff.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1384	chrome.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe
1568	a263ac4aff.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exeexplorha.exea263ac4aff.exechrome.exe

description	pid	process	target process
PID 2280 wrote to memory of 2416	2280	268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe	explorha.exe
PID 2280 wrote to memory of 2416	2280	268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe	explorha.exe
PID 2280 wrote to memory of 2416	2280	268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe	explorha.exe
PID 2280 wrote to memory of 2416	2280	268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe	explorha.exe
PID 2416 wrote to memory of 1612	2416	explorha.exe	amert.exe
PID 2416 wrote to memory of 1612	2416	explorha.exe	amert.exe
PID 2416 wrote to memory of 1612	2416	explorha.exe	amert.exe
PID 2416 wrote to memory of 1612	2416	explorha.exe	amert.exe
PID 2416 wrote to memory of 1568	2416	explorha.exe	a263ac4aff.exe
PID 2416 wrote to memory of 1568	2416	explorha.exe	a263ac4aff.exe
PID 2416 wrote to memory of 1568	2416	explorha.exe	a263ac4aff.exe
PID 2416 wrote to memory of 1568	2416	explorha.exe	a263ac4aff.exe
PID 1568 wrote to memory of 1384	1568	a263ac4aff.exe	chrome.exe
PID 1568 wrote to memory of 1384	1568	a263ac4aff.exe	chrome.exe
PID 1568 wrote to memory of 1384	1568	a263ac4aff.exe	chrome.exe
PID 1568 wrote to memory of 1384	1568	a263ac4aff.exe	chrome.exe
PID 1384 wrote to memory of 2844	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 2844	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 2844	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1220	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1976	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1976	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 1976	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 824	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 824	1384	chrome.exe	chrome.exe
PID 1384 wrote to memory of 824	1384	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe
"C:\Users\Admin\AppData\Local\Temp\268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\1000054001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000054001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1612
- - C:\Users\Admin\AppData\Local\Temp\1000055001\a263ac4aff.exe
    "C:\Users\Admin\AppData\Local\Temp\1000055001\a263ac4aff.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6b59758,0x7fef6b59768,0x7fef6b59778
        5⤵
        
        PID:2844
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1380,i,14251492574017208351,11992182840745937541,131072 /prefetch:2
        5⤵
        
        PID:1220
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1380,i,14251492574017208351,11992182840745937541,131072 /prefetch:8
        5⤵
        
        PID:1976
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1380,i,14251492574017208351,11992182840745937541,131072 /prefetch:8
        5⤵
        
        PID:824
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2240 --field-trial-handle=1380,i,14251492574017208351,11992182840745937541,131072 /prefetch:1
        5⤵
        
        PID:1504
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=1380,i,14251492574017208351,11992182840745937541,131072 /prefetch:1
        5⤵
        
        PID:1180
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2924 --field-trial-handle=1380,i,14251492574017208351,11992182840745937541,131072 /prefetch:1
        5⤵
        
        PID:748
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2844 --field-trial-handle=1380,i,14251492574017208351,11992182840745937541,131072 /prefetch:2
        5⤵
        
        PID:2948
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 --field-trial-handle=1380,i,14251492574017208351,11992182840745937541,131072 /prefetch:8
        5⤵
        
        PID:2708
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    PID:1536
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      PID:1720
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\063562292805_Desktop.zip' -CompressionLevel Optimal
        5⤵
        
        PID:1744
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    PID:1100
- - C:\Users\Admin\AppData\Local\Temp\1000056001\5a79a8b57b.exe
    "C:\Users\Admin\AppData\Local\Temp\1000056001\5a79a8b57b.exe"
    3⤵
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:364

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4bdaf1a35959a3780a7238910d347018

SHA1
4aa7a5169661721ec2f66601d400b41b80460ba7

SHA256
0a54f17fe91b2c6674d3aa0d818148955eea45ee9fdb10b357b0ef2ee6340399

SHA512
9d928dea2436cceb5b2af4c3a9d4153508ea660a1a5728c7c62c331a5832507b2d98d4203daee462e0f518766341ec69c37e4f4c1bdbcb7c5d7d4e196163175c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
69128fe6271663b81bc4d0fa5fbbd669

SHA1
dc6ed903471ce4154f59987fb29592bc2770fac5

SHA256
ed0162c675daac8c279181dc7bee3cbb17b77fbe0ff9b52e1c3b029201aaf4ff

SHA512
65697526f93bb509aab1f1263d065be748b3004809da7878ea1788a6888f962885eb9520d6f7bbf0dfd5e454625c2e152f04a6ca733e85201fdaaae5708c7e1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
15ec8df74ac74227ce021abfc31796f5

SHA1
079a64fd579146535d2c84c61b34af7ffa11c739

SHA256
7f7ce734836ba0f6d4954e95cfa161561c287826b156cbe12b8d115403af35da

SHA512
50d9aece0f54223e427f511d893f64d1faa4259f856dc53f1728f48b0560a4af06dd7839b722fce25b1a8ec43eae2d397b6cab015f92d5eff6a40ca3a324393c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d385acd0-b480-468c-ad78-e830f2a78c18.tmp

Filesize
5KB

MD5
70020ddc20ea97e255d393bb0242e912

SHA1
fdedc0de0763386f9ee72c7c8de80f9ab6a6f239

SHA256
f55b311dbf597f704a1f6cee47bf92b9f5ff8bbe9972327e5a2ecacf49158ed6

SHA512
6e439244bc95ed1a51efabe79648c085784d8d3d13b3487d4192b968246177d8e53074c6f62a2455377f6908af4939c447bbb1fb24452e869dd05e9bbe3b2aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000054001\amert.exe

Filesize
1.8MB

MD5
1ed78f44a2cad6e08da27edbc701b4bc

SHA1
e7a8bc103762db81429b13497c065ac16cac4b85

SHA256
20bd5a075cfee256a6cc19803fb9964834590840ada1212f7eca0a9d990e8359

SHA512
3882675eadbc45a7b534c0efc671551926bbc333275e03e8a4b23fdfc958af231094b65855fceccf6ec7c63ead1ad1a21bf3853e95eb05adca093a7820c22244

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000055001\a263ac4aff.exe

Filesize
1.1MB

MD5
76c779d2a6e42c6dbcff43e67bb38ca3

SHA1
558f8e6b714efaeaba794e7d2b7821936a4da077

SHA256
e820be731929c621a94de7bd83e0da4796c103632961bda20ffbd568279e6f43

SHA512
516d91d0e635f3468d135bf51f507fe3d81c1fb72c8baccc08a0e7c05c6dcaefd2816ca937cb2f8ca0ab8f4c8e78a2917b22dc10c289221e8450cfba34bebf3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000056001\5a79a8b57b.exe

Filesize
2.2MB

MD5
3709ad0a7007bcae942b905a07bd6bba

SHA1
9d25192c841f3b2fb1b9bbb0dfdcec6cdaaca3a7

SHA256
2248caa741ec4d757c597091f2bab56f694181ef5a677bdab47d990e4c7f695a

SHA512
d41cbc49ded02909e0eae68da22988c36993bde9db4025f64d45007d2c47ed07a7cdc1a2b28ae1cb7ecb8d4c5169cb4084650adaddb656caf33b4e0ad85239fc

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
\??\pipe\crashpad_1384_KWRLXLUFOHINKBZW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
2.9MB

MD5
024817797cc4e980f696067e3818c847

SHA1
241c4aa43e4f2709f450be63588aa5d8302a2266

SHA256
268318688e614f04d59cb86f60905777782d7cc0fd722ccd5bab51c1c11fc10d

SHA512
b00973e2640e28003250729789422dd585038c664c1f1751be8eb00c08af6c05ea72ec3245814542731c8297d4a1b5ac8fc60a4faf389d6200b5c2713a7c96d0

Download Submit
memory/364-261-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-266-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-289-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-288-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-287-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-286-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-285-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-284-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-283-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-282-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-281-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-280-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-279-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-278-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-277-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-276-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-275-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-274-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-265-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-264-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-263-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-262-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-260-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-259-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-258-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-257-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-256-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-255-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-254-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-253-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-250-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-248-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/364-246-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-245-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-244-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-243-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-242-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-239-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/364-241-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/1612-67-0x0000000001020000-0x00000000014EE000-memory.dmp

Filesize
4.8MB

Download
memory/1744-231-0x0000000001E6B000-0x0000000001ED2000-memory.dmp

Filesize
412KB

Download
memory/1744-229-0x000007FEF2F90000-0x000007FEF392D000-memory.dmp

Filesize
9.6MB

Download
memory/1744-228-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1744-227-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/1744-230-0x0000000001E64000-0x0000000001E67000-memory.dmp

Filesize
12KB

Download
memory/2280-13-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2280-1-0x00000000774B0000-0x00000000774B2000-memory.dmp

Filesize
8KB

Download
memory/2280-11-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2280-7-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2280-6-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2280-5-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2280-30-0x00000000012F0000-0x000000000160E000-memory.dmp

Filesize
3.1MB

Download
memory/2280-8-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2280-4-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2280-12-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2280-2-0x00000000012F0000-0x000000000160E000-memory.dmp

Filesize
3.1MB

Download
memory/2280-0-0x00000000012F0000-0x000000000160E000-memory.dmp

Filesize
3.1MB

Download
memory/2280-10-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2280-15-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2280-9-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2280-17-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2280-14-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2280-18-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2280-3-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2280-31-0x0000000006450000-0x000000000676E000-memory.dmp

Filesize
3.1MB

Download
memory/2416-39-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2416-37-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2416-33-0x0000000001060000-0x000000000137E000-memory.dmp

Filesize
3.1MB

Download
memory/2416-36-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2416-35-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2416-34-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/2416-38-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2416-32-0x0000000001060000-0x000000000137E000-memory.dmp

Filesize
3.1MB

Download
memory/2416-40-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2416-41-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2416-42-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2416-43-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2416-44-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2416-46-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/2416-47-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/2416-48-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download