amadey | 022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2

Analysis

max time kernel
86s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe
Size

1.8MB
MD5

fc8b4ad76d2b7b814f6fcaeed5d0af75
SHA1

b14cd344e70a5fec100925d32d08399671e4f434
SHA256

022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2
SHA512

51743bf2bd10a993c9e097e19cb7f325483503b309a699be1b9e6686aeea77e987dcbedfee58ca3abf8b61b4410b71c0d9f73ae89d2603edd125f85465257347
SSDEEP

49152:z32SkrBRq+zNtYu3/UOXTqPsVNEYlv4jWBHSsY5B5AyZ:wrXtzL9vtqPuNEYliws

Score

10^/10

amadey risepro 0e6740 e76b71 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f7bbf675c2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f7bbf675c2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f7bbf675c2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe

Executes dropped EXE 6 IoCs

pid	Process
2444	explortu.exe
2676	explortu.exe
1796	f7bbf675c2.exe
2100	axplong.exe
452	c364feecc2.exe
1320	9c7dc8aef7.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	f7bbf675c2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	axplong.exe

Loads dropped DLL 6 IoCs

pid	Process
2992	SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe
2444	explortu.exe
2444	explortu.exe
1796	f7bbf675c2.exe
2444	explortu.exe
2444	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\c364feecc2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\c364feecc2.exe"	explortu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000016c2e-106.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs

pid	Process
2992	SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe
2444	explortu.exe
1796	f7bbf675c2.exe
2100	axplong.exe
2676	explortu.exe
452	c364feecc2.exe
2676	explortu.exe
452	c364feecc2.exe
2676	explortu.exe
452	c364feecc2.exe
2676	explortu.exe
452	c364feecc2.exe
2676	explortu.exe
452	c364feecc2.exe
2676	explortu.exe
452	c364feecc2.exe
2676	explortu.exe
452	c364feecc2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2444 set thread context of 2676	2444	explortu.exe	29

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe
File created	C:\Windows\Tasks\axplong.job	f7bbf675c2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2992	SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe
2444	explortu.exe
1796	f7bbf675c2.exe
2100	axplong.exe
2860	chrome.exe
2860	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2992	SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe
1796	f7bbf675c2.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
2860	chrome.exe
2860	chrome.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe
1320	9c7dc8aef7.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2676	explortu.exe
452	c364feecc2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2444	2992	SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe	28
PID 2992 wrote to memory of 2444	2992	SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe	28
PID 2992 wrote to memory of 2444	2992	SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe	28
PID 2992 wrote to memory of 2444	2992	SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe	28
PID 2444 wrote to memory of 2676	2444	explortu.exe	29
PID 2444 wrote to memory of 2676	2444	explortu.exe	29
PID 2444 wrote to memory of 2676	2444	explortu.exe	29
PID 2444 wrote to memory of 2676	2444	explortu.exe	29
PID 2444 wrote to memory of 2676	2444	explortu.exe	29
PID 2444 wrote to memory of 2676	2444	explortu.exe	29
PID 2444 wrote to memory of 2676	2444	explortu.exe	29
PID 2444 wrote to memory of 2676	2444	explortu.exe	29
PID 2444 wrote to memory of 2676	2444	explortu.exe	29
PID 2444 wrote to memory of 2676	2444	explortu.exe	29
PID 2444 wrote to memory of 2676	2444	explortu.exe	29
PID 2444 wrote to memory of 2676	2444	explortu.exe	29
PID 2444 wrote to memory of 1796	2444	explortu.exe	31
PID 2444 wrote to memory of 1796	2444	explortu.exe	31
PID 2444 wrote to memory of 1796	2444	explortu.exe	31
PID 2444 wrote to memory of 1796	2444	explortu.exe	31
PID 1796 wrote to memory of 2100	1796	f7bbf675c2.exe	32
PID 1796 wrote to memory of 2100	1796	f7bbf675c2.exe	32
PID 1796 wrote to memory of 2100	1796	f7bbf675c2.exe	32
PID 1796 wrote to memory of 2100	1796	f7bbf675c2.exe	32
PID 2444 wrote to memory of 452	2444	explortu.exe	34
PID 2444 wrote to memory of 452	2444	explortu.exe	34
PID 2444 wrote to memory of 452	2444	explortu.exe	34
PID 2444 wrote to memory of 452	2444	explortu.exe	34
PID 2444 wrote to memory of 1320	2444	explortu.exe	35
PID 2444 wrote to memory of 1320	2444	explortu.exe	35
PID 2444 wrote to memory of 1320	2444	explortu.exe	35
PID 2444 wrote to memory of 1320	2444	explortu.exe	35
PID 1320 wrote to memory of 2860	1320	9c7dc8aef7.exe	36
PID 1320 wrote to memory of 2860	1320	9c7dc8aef7.exe	36
PID 1320 wrote to memory of 2860	1320	9c7dc8aef7.exe	36
PID 1320 wrote to memory of 2860	1320	9c7dc8aef7.exe	36
PID 2860 wrote to memory of 320	2860	chrome.exe	37
PID 2860 wrote to memory of 320	2860	chrome.exe	37
PID 2860 wrote to memory of 320	2860	chrome.exe	37
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39
PID 2860 wrote to memory of 1444	2860	chrome.exe	39

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:2676
- - C:\Users\Admin\1000015002\f7bbf675c2.exe
    "C:\Users\Admin\1000015002\f7bbf675c2.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:2100
- - C:\Users\Admin\AppData\Local\Temp\1000016001\c364feecc2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\c364feecc2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:452
- - C:\Users\Admin\AppData\Local\Temp\1000017001\9c7dc8aef7.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\9c7dc8aef7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7849758,0x7fef7849768,0x7fef7849778
        5⤵
        
        PID:320
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:2
        5⤵
        
        PID:1444
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:8
        5⤵
        
        PID:1564
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:8
        5⤵
        
        PID:2300
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1300 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:1
        5⤵
        
        PID:1956
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:1
        5⤵
        
        PID:2528
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1600 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:2
        5⤵
        
        PID:2480
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2256 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:1
        5⤵
        
        PID:1332
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2612 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:1
        5⤵
        
        PID:2008
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2684 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:8
        5⤵
        
        PID:380
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:8
        5⤵
        
        PID:1972

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000015002\f7bbf675c2.exe

Filesize
1.8MB

MD5
968738b2e2195b1832c22111707056c9

SHA1
5eaf65e358cbd03037a013d66d0d5cd9a5b4a814

SHA256
1d3c0765dcb4126631f69596b257a2348f069b4ed94e4236c0b7eeb7ad036e88

SHA512
be5f86b39316ff6b5ddfdb4cb4ad7793b1f47db3af314c2d28fe1f9245adf67da6905b4d8367b8b3cafc06a843a0925477800bb0bafa7fd1b2c9b97c53aadc23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
58686704a5a959a7b482e8677954605a

SHA1
8666360840a74dce10424d31ecfd6b5e4d9f529e

SHA256
7b11e2886256553d8999651fd8321b452641a12cb541eaea64af6bf592ecba47

SHA512
31a9ca5fe898a274df47fc6a2dcf0b2ccca127a457c29b7aa698f0bd1e390413e942c9c565588d5b50c247f97ae1822a81938981850f93f0c6a7549bdb7a9cb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f8cd21b4b1209ef5271ac78602885f02

SHA1
d297ccc21b0e252c2436c599abcaab37c83e7273

SHA256
f9d1e4c054be2a1476c1fde5641c47769442bd1cf63e08a15142a6bca62eac2a

SHA512
cbe6a1c91085803c5e6660a0b19a90f267d892c83cf6d71d1fbae6ac74207b818f3364cfa2ada9e5bd1f4e1baa3d2e1490567eb55badeb2e794c6bf289046bd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2fd819f920d619fb5b627436a9583b50

SHA1
69ae89d23b40cd4fd2f5117a244b5e814c723da3

SHA256
aad38b9413e11336376f9885936214129586b175010f1f642b5cc772da5080a8

SHA512
f00851ebeac1c85f3fe05df774e2bde8df8b9bb476ccf4bca788f6688d4b93b18cd2af93248e5dcfb31ddf7cfc75022bb6b072b867ce9dd0763b2eea39ed00c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\c364feecc2.exe

Filesize
1.3MB

MD5
4df1cfc527e6d3c41e55d9cd3875da91

SHA1
4fbf821677e89092fc9fca187156567400eb58ef

SHA256
9ef03efe91ce1703bc8ac3e00e66b1df1fe7c2c3b16a749c4b368880a497716d

SHA512
5d097db08305c218b9479aa75980d97d08adf9bd80f45cf9048d3e3e1ac8aa07e0083c649c033546cf462351628ac6ae16338b316c3a9a14c9c59d1f132c5851

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\9c7dc8aef7.exe

Filesize
1.1MB

MD5
7bfabd6b6e6aa0215774178186b74bff

SHA1
47a69bda96fbda42a396a5dfbd3faf4d8d4e5a42

SHA256
b21d08aadf56a468e46a9885d7f2eced32779342c2eaa431cef72c0fd72284ab

SHA512
c2fbe8241dbf05c13b739744ea94af7583ee2fbd945dd8b860745b0da21fe8480bb815f2d67ae07fbe85b4a2f8bff319bc48b6ad9c628b4e4675a892029efc9b

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8

Filesize
14B

MD5
d16e380c392f995d9bef5c264f468a7b

SHA1
840a457c43a7c92110cb533b3e404087c8256fef

SHA256
9df91c0bef23625cbb6a6f5989b2db45c7129b86c51a4837e4403c28b3e0c86d

SHA512
9e74a5e3e7c0793093db9e3b64b6d0e14de37a62dc1b09673dbab3346ee737c7b6313d2749e4508b26a4d7851de860fb4a81083b4cdce5be785d42b93f0aae70

Download Submit
\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
fc8b4ad76d2b7b814f6fcaeed5d0af75

SHA1
b14cd344e70a5fec100925d32d08399671e4f434

SHA256
022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2

SHA512
51743bf2bd10a993c9e097e19cb7f325483503b309a699be1b9e6686aeea77e987dcbedfee58ca3abf8b61b4410b71c0d9f73ae89d2603edd125f85465257347

Download Submit
memory/452-271-0x0000000001070000-0x00000000015A2000-memory.dmp

Filesize
5.2MB

Download
memory/452-274-0x0000000001070000-0x00000000015A2000-memory.dmp

Filesize
5.2MB

Download
memory/452-228-0x0000000001070000-0x00000000015A2000-memory.dmp

Filesize
5.2MB

Download
memory/452-219-0x0000000001070000-0x00000000015A2000-memory.dmp

Filesize
5.2MB

Download
memory/452-216-0x0000000001070000-0x00000000015A2000-memory.dmp

Filesize
5.2MB

Download
memory/452-200-0x0000000001070000-0x00000000015A2000-memory.dmp

Filesize
5.2MB

Download
memory/452-250-0x0000000001070000-0x00000000015A2000-memory.dmp

Filesize
5.2MB

Download
memory/452-242-0x0000000001070000-0x00000000015A2000-memory.dmp

Filesize
5.2MB

Download
memory/452-232-0x0000000001070000-0x00000000015A2000-memory.dmp

Filesize
5.2MB

Download
memory/452-277-0x0000000001070000-0x00000000015A2000-memory.dmp

Filesize
5.2MB

Download
memory/452-245-0x0000000001070000-0x00000000015A2000-memory.dmp

Filesize
5.2MB

Download
memory/452-100-0x0000000001070000-0x00000000015A2000-memory.dmp

Filesize
5.2MB

Download
memory/452-279-0x0000000001070000-0x00000000015A2000-memory.dmp

Filesize
5.2MB

Download
memory/452-95-0x0000000001070000-0x00000000015A2000-memory.dmp

Filesize
5.2MB

Download
memory/452-283-0x0000000001070000-0x00000000015A2000-memory.dmp

Filesize
5.2MB

Download
memory/1796-76-0x0000000000AB0000-0x0000000000F60000-memory.dmp

Filesize
4.7MB

Download
memory/1796-64-0x0000000000AB0000-0x0000000000F60000-memory.dmp

Filesize
4.7MB

Download
memory/2100-243-0x0000000001260000-0x0000000001710000-memory.dmp

Filesize
4.7MB

Download
memory/2100-156-0x0000000001260000-0x0000000001710000-memory.dmp

Filesize
4.7MB

Download
memory/2100-284-0x0000000001260000-0x0000000001710000-memory.dmp

Filesize
4.7MB

Download
memory/2100-281-0x0000000001260000-0x0000000001710000-memory.dmp

Filesize
4.7MB

Download
memory/2100-78-0x0000000001260000-0x0000000001710000-memory.dmp

Filesize
4.7MB

Download
memory/2100-278-0x0000000001260000-0x0000000001710000-memory.dmp

Filesize
4.7MB

Download
memory/2100-275-0x0000000001260000-0x0000000001710000-memory.dmp

Filesize
4.7MB

Download
memory/2100-272-0x0000000001260000-0x0000000001710000-memory.dmp

Filesize
4.7MB

Download
memory/2100-251-0x0000000001260000-0x0000000001710000-memory.dmp

Filesize
4.7MB

Download
memory/2100-246-0x0000000001260000-0x0000000001710000-memory.dmp

Filesize
4.7MB

Download
memory/2100-240-0x0000000001260000-0x0000000001710000-memory.dmp

Filesize
4.7MB

Download
memory/2100-230-0x0000000001260000-0x0000000001710000-memory.dmp

Filesize
4.7MB

Download
memory/2100-223-0x0000000001260000-0x0000000001710000-memory.dmp

Filesize
4.7MB

Download
memory/2100-202-0x0000000001260000-0x0000000001710000-memory.dmp

Filesize
4.7MB

Download
memory/2100-201-0x0000000001260000-0x0000000001710000-memory.dmp

Filesize
4.7MB

Download
memory/2444-270-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-80-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-282-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-59-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-101-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-280-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-188-0x0000000006BD0000-0x0000000007080000-memory.dmp

Filesize
4.7MB

Download
memory/2444-77-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-276-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-199-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-273-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-62-0x0000000006BD0000-0x0000000007080000-memory.dmp

Filesize
4.7MB

Download
memory/2444-215-0x0000000006BD0000-0x0000000007102000-memory.dmp

Filesize
5.2MB

Download
memory/2444-17-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-81-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-222-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-99-0x0000000006BD0000-0x0000000007102000-memory.dmp

Filesize
5.2MB

Download
memory/2444-28-0x000000000A030000-0x000000000A4EB000-memory.dmp

Filesize
4.7MB

Download
memory/2444-229-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-18-0x0000000000A91000-0x0000000000ABF000-memory.dmp

Filesize
184KB

Download
memory/2444-231-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-27-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-249-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-96-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-241-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-21-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-244-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2444-19-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2676-46-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-44-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-25-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-42-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-29-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-30-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-35-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-33-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-45-0x0000000000A90000-0x0000000000F4B000-memory.dmp

Filesize
4.7MB

Download
memory/2676-39-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-47-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-48-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-32-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2676-34-0x0000000000400000-0x0000000000932000-memory.dmp

Filesize
5.2MB

Download
memory/2992-5-0x0000000001120000-0x00000000015DB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-2-0x0000000001121000-0x000000000114F000-memory.dmp

Filesize
184KB

Download
memory/2992-3-0x0000000001120000-0x00000000015DB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-0-0x0000000001120000-0x00000000015DB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-14-0x0000000006560000-0x0000000006A1B000-memory.dmp

Filesize
4.7MB

Download
memory/2992-1-0x0000000077AC0000-0x0000000077AC2000-memory.dmp

Filesize
8KB

Download
memory/2992-16-0x0000000001120000-0x00000000015DB000-memory.dmp

Filesize
4.7MB

Download