amadey | 4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1

Analysis

max time kernel
88s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-06-2024 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe
Size

1.8MB
MD5

0975ae9c1c6df54404f66dce81cbc0c0
SHA1

df87ee661b2ede4ca0c2f6b2432f108b6657d01c
SHA256

4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1
SHA512

93d486b8e08d05b3c1f41f3f8cd0c94e2294f5ee3023b29a72e7ab1e6aafe29119790a64535fa7507541fb126e6c15650240f8726bd53cd8cd88110a748cc011
SSDEEP

24576:xcuiIrzrG5nhhJwN4DGccMjfkYdsIcyed1hoWAtFam3N//0+PGfS4z0b5Y9fW5ys:xsCmu4rVdfevhoFXam3NHmkhqLRkP

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6c2a6fae2c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	44d5846de6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6c2a6fae2c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	44d5846de6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	44d5846de6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6c2a6fae2c.exe

Executes dropped EXE 3 IoCs

pid	Process
2848	explortu.exe
2948	6c2a6fae2c.exe
2656	44d5846de6.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	6c2a6fae2c.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	44d5846de6.exe

Loads dropped DLL 4 IoCs

pid	Process
3068	4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe
2848	explortu.exe
2848	explortu.exe
2848	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\6c2a6fae2c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\6c2a6fae2c.exe"	explortu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2656-141-0x0000000000190000-0x0000000000708000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3068	4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe
2848	explortu.exe
2948	6c2a6fae2c.exe
2656	44d5846de6.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3068	4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe
2848	explortu.exe
2948	6c2a6fae2c.exe
2656	44d5846de6.exe
2196	chrome.exe
2196	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
3068	4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe
2656	44d5846de6.exe
2656	44d5846de6.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2656	44d5846de6.exe
2656	44d5846de6.exe
2656	44d5846de6.exe
2196	chrome.exe
2196	chrome.exe
2656	44d5846de6.exe
2656	44d5846de6.exe
2656	44d5846de6.exe
2656	44d5846de6.exe
2656	44d5846de6.exe
2656	44d5846de6.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
2656	44d5846de6.exe
2656	44d5846de6.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2656	44d5846de6.exe
2656	44d5846de6.exe
2656	44d5846de6.exe
2656	44d5846de6.exe
2656	44d5846de6.exe
2656	44d5846de6.exe
2656	44d5846de6.exe
2656	44d5846de6.exe
2656	44d5846de6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2848	3068	4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe	28
PID 3068 wrote to memory of 2848	3068	4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe	28
PID 3068 wrote to memory of 2848	3068	4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe	28
PID 3068 wrote to memory of 2848	3068	4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe	28
PID 2848 wrote to memory of 2764	2848	explortu.exe	29
PID 2848 wrote to memory of 2764	2848	explortu.exe	29
PID 2848 wrote to memory of 2764	2848	explortu.exe	29
PID 2848 wrote to memory of 2764	2848	explortu.exe	29
PID 2848 wrote to memory of 2948	2848	explortu.exe	31
PID 2848 wrote to memory of 2948	2848	explortu.exe	31
PID 2848 wrote to memory of 2948	2848	explortu.exe	31
PID 2848 wrote to memory of 2948	2848	explortu.exe	31
PID 2848 wrote to memory of 2656	2848	explortu.exe	32
PID 2848 wrote to memory of 2656	2848	explortu.exe	32
PID 2848 wrote to memory of 2656	2848	explortu.exe	32
PID 2848 wrote to memory of 2656	2848	explortu.exe	32
PID 2656 wrote to memory of 2196	2656	44d5846de6.exe	33
PID 2656 wrote to memory of 2196	2656	44d5846de6.exe	33
PID 2656 wrote to memory of 2196	2656	44d5846de6.exe	33
PID 2656 wrote to memory of 2196	2656	44d5846de6.exe	33
PID 2196 wrote to memory of 2204	2196	chrome.exe	34
PID 2196 wrote to memory of 2204	2196	chrome.exe	34
PID 2196 wrote to memory of 2204	2196	chrome.exe	34
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 632	2196	chrome.exe	36
PID 2196 wrote to memory of 1948	2196	chrome.exe	37
PID 2196 wrote to memory of 1948	2196	chrome.exe	37

C:\Users\Admin\AppData\Local\Temp\4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1_NeikiAnalytics.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\1000016001\6c2a6fae2c.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\6c2a6fae2c.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\1000017001\44d5846de6.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\44d5846de6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7969758,0x7fef7969768,0x7fef7969778
        5⤵
        
        PID:2204
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1192,i,17343801202051273045,1210094610497387304,131072 /prefetch:2
        5⤵
        
        PID:632
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1192,i,17343801202051273045,1210094610497387304,131072 /prefetch:8
        5⤵
        
        PID:1948
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1524 --field-trial-handle=1192,i,17343801202051273045,1210094610497387304,131072 /prefetch:8
        5⤵
        
        PID:672
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2156 --field-trial-handle=1192,i,17343801202051273045,1210094610497387304,131072 /prefetch:1
        5⤵
        
        PID:1812
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1192,i,17343801202051273045,1210094610497387304,131072 /prefetch:1
        5⤵
        
        PID:1572
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2960 --field-trial-handle=1192,i,17343801202051273045,1210094610497387304,131072 /prefetch:1
        5⤵
        
        PID:2560
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1192,i,17343801202051273045,1210094610497387304,131072 /prefetch:2
        5⤵
        
        PID:2516
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3500 --field-trial-handle=1192,i,17343801202051273045,1210094610497387304,131072 /prefetch:2
        5⤵
        
        PID:2740
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=1192,i,17343801202051273045,1210094610497387304,131072 /prefetch:8
        5⤵
        
        PID:2596

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f79b332eed8621fafcc87d89789dd895

SHA1
2b3fabdb3b94537a330e71920918be9deef7b37b

SHA256
04ed9e6bdfe49ca9e0d76ff0d161010804bbd33236c100573a928dec691f5e22

SHA512
f74309e038cc08c45634b699d96d525d951c8820dd6a8e7a1508cefe7ee29f2004f18dbb7b0ba4f38df6476ff6b5459c2360509bb50d909ccb839c2ac7839a58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
496d61a77f60295dca35d8e4a9b4ca51

SHA1
6065af78f8d6535208c6d556afcafb164bd0625c

SHA256
afd27841a0c3210cea84b4f05542dbfe23ed4b2f2ea62f355d17df05c71bb05a

SHA512
53c7a446eecd4ed93a20823e2f2f670bf878656cfd43236c003abd4b903e3c655d2ac1f40d8eba8a7cdee4c9f597b0e87327847e93c6fcc2f9c316147c97672b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFf76d50b.TMP

Filesize
6KB

MD5
c44b745f8de16fe1f937937ef5ab76a1

SHA1
d19b4775124bd5edd90093de700963696e2c6c05

SHA256
cc4d85bcfc6740a61926fae4cd7871d975b5cc98bd8cace2a3a0ca6707786834

SHA512
a59b057e5298b19be7cf281d4399a6490331a6c7d17bd2cbb185bd8dffc2a4b05470ef6de5e32353cc07c8c4e7b2244c343b6a5ea846c7e0a8dc8c3541d4236c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\6c2a6fae2c.exe

Filesize
2.3MB

MD5
b33a8d92363326931620a15917ac0930

SHA1
e4dbc660fe6b17288e24d18a860567d33b3a1fb6

SHA256
9e9ea9c197938879aa75f476dfae4b28805e79035d1b79da9d336a8d3a48f057

SHA512
cb03e789c1ad4d87e73791f364f96b7c0486f9776be0ecfdf7a3b5624f21a1de17b89ee140ae3e87fa2d14dce2ca52415d11aab809e0027f63c3d3b3b9e8eb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\44d5846de6.exe

Filesize
2.3MB

MD5
eca6ffa57ce83e53c723340f0a39a862

SHA1
e543d56871911fae9ece477aa5575c4a16d5fb87

SHA256
17b22121789b06189d1b8b792ee15cf4d3f81b05532f996332a46ad5a45f1224

SHA512
1a0bafad8dfad103c03e6fe2f7dad4039026759dc434ecb5dc489b64dd150cc5833a8e13dc4c1d5c56e30125b6ec98fc9f438cd3f8e8ab0a1c6f3f97c21c72b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
0975ae9c1c6df54404f66dce81cbc0c0

SHA1
df87ee661b2ede4ca0c2f6b2432f108b6657d01c

SHA256
4c0d29f07d4a02d5809d17d6f2e4c9f87889756d5f10875b325fadb0fbaccdb1

SHA512
93d486b8e08d05b3c1f41f3f8cd0c94e2294f5ee3023b29a72e7ab1e6aafe29119790a64535fa7507541fb126e6c15650240f8726bd53cd8cd88110a748cc011

Download Submit
memory/2656-141-0x0000000000190000-0x0000000000708000-memory.dmp

Filesize
5.5MB

Download
memory/2656-56-0x0000000000190000-0x0000000000708000-memory.dmp

Filesize
5.5MB

Download
memory/2848-157-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-203-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-22-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-40-0x0000000006A30000-0x0000000007023000-memory.dmp

Filesize
5.9MB

Download
memory/2848-213-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-20-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-55-0x0000000006A30000-0x0000000006FA8000-memory.dmp

Filesize
5.5MB

Download
memory/2848-19-0x0000000000011000-0x000000000003F000-memory.dmp

Filesize
184KB

Download
memory/2848-211-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-209-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-98-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-18-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-136-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-207-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-205-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-144-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-26-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-158-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-201-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-163-0x0000000006A30000-0x0000000007023000-memory.dmp

Filesize
5.9MB

Download
memory/2848-188-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-166-0x0000000006A30000-0x0000000006FA8000-memory.dmp

Filesize
5.5MB

Download
memory/2848-184-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-167-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-182-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2848-173-0x0000000000010000-0x00000000004B7000-memory.dmp

Filesize
4.7MB

Download
memory/2948-204-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/2948-41-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/2948-172-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/2948-183-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/2948-165-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/2948-185-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/2948-164-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/2948-189-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/2948-202-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/2948-143-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/2948-221-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/2948-212-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/2948-206-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/2948-210-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/2948-174-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/2948-208-0x0000000000040000-0x0000000000633000-memory.dmp

Filesize
5.9MB

Download
memory/3068-9-0x0000000001360000-0x0000000001807000-memory.dmp

Filesize
4.7MB

Download
memory/3068-16-0x0000000001360000-0x0000000001807000-memory.dmp

Filesize
4.7MB

Download
memory/3068-5-0x0000000001360000-0x0000000001807000-memory.dmp

Filesize
4.7MB

Download
memory/3068-15-0x0000000007000000-0x00000000074A7000-memory.dmp

Filesize
4.7MB

Download
memory/3068-3-0x0000000001360000-0x0000000001807000-memory.dmp

Filesize
4.7MB

Download
memory/3068-0-0x0000000001360000-0x0000000001807000-memory.dmp

Filesize
4.7MB

Download
memory/3068-1-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

Filesize
8KB

Download
memory/3068-2-0x0000000001361000-0x000000000138F000-memory.dmp

Filesize
184KB

Download