amadey | 24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6

Analysis

max time kernel
48s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe
Size

1.8MB
MD5

7ee03d405aca43ba9f24b03f3108bc86
SHA1

b9f464590e8092fb33c48b04b2b9b1830486d287
SHA256

24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6
SHA512

fb0a7e97e44581faddd112b1a8055ff4024ce3886d78b0fc431c94dcd9044892aa278e86a304a29399946430a6efc5bc48fb702a2d05c7286bd757412d1fc366
SSDEEP

49152:DbyTGNqduFU046PhnkB+ibfESFjvyZNnUXwpB+1h0oSFW9Ui:DMua9IhnkB+ib/j6jgh0dFwZ

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ddf8740ec9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	981c866f6c.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	981c866f6c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ddf8740ec9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ddf8740ec9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	981c866f6c.exe

Executes dropped EXE 3 IoCs

pid	Process
2720	explortu.exe
2176	ddf8740ec9.exe
1676	981c866f6c.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine	ddf8740ec9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine	981c866f6c.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine	24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe

Loads dropped DLL 4 IoCs

pid	Process
1996	24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe
2720	explortu.exe
2720	explortu.exe
2720	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ddf8740ec9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\ddf8740ec9.exe"	explortu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1676-142-0x00000000008C0000-0x0000000000E30000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1996	24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe
2720	explortu.exe
2176	ddf8740ec9.exe
1676	981c866f6c.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1996	24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe
2720	explortu.exe
2176	ddf8740ec9.exe
1676	981c866f6c.exe
664	chrome.exe
664	chrome.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe
Token: SeShutdownPrivilege	664	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
1996	24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe
1676	981c866f6c.exe
1676	981c866f6c.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
1676	981c866f6c.exe
1676	981c866f6c.exe
664	chrome.exe
664	chrome.exe
1676	981c866f6c.exe
1676	981c866f6c.exe
1676	981c866f6c.exe
1676	981c866f6c.exe
1676	981c866f6c.exe
1676	981c866f6c.exe
1676	981c866f6c.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
1676	981c866f6c.exe
1676	981c866f6c.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
1676	981c866f6c.exe
1676	981c866f6c.exe
1676	981c866f6c.exe
1676	981c866f6c.exe
1676	981c866f6c.exe
1676	981c866f6c.exe
1676	981c866f6c.exe
1676	981c866f6c.exe
1676	981c866f6c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2720	1996	24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe	28
PID 1996 wrote to memory of 2720	1996	24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe	28
PID 1996 wrote to memory of 2720	1996	24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe	28
PID 1996 wrote to memory of 2720	1996	24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe	28
PID 2720 wrote to memory of 2700	2720	explortu.exe	29
PID 2720 wrote to memory of 2700	2720	explortu.exe	29
PID 2720 wrote to memory of 2700	2720	explortu.exe	29
PID 2720 wrote to memory of 2700	2720	explortu.exe	29
PID 2720 wrote to memory of 2176	2720	explortu.exe	31
PID 2720 wrote to memory of 2176	2720	explortu.exe	31
PID 2720 wrote to memory of 2176	2720	explortu.exe	31
PID 2720 wrote to memory of 2176	2720	explortu.exe	31
PID 2720 wrote to memory of 1676	2720	explortu.exe	32
PID 2720 wrote to memory of 1676	2720	explortu.exe	32
PID 2720 wrote to memory of 1676	2720	explortu.exe	32
PID 2720 wrote to memory of 1676	2720	explortu.exe	32
PID 1676 wrote to memory of 664	1676	981c866f6c.exe	33
PID 1676 wrote to memory of 664	1676	981c866f6c.exe	33
PID 1676 wrote to memory of 664	1676	981c866f6c.exe	33
PID 1676 wrote to memory of 664	1676	981c866f6c.exe	33
PID 664 wrote to memory of 480	664	chrome.exe	34
PID 664 wrote to memory of 480	664	chrome.exe	34
PID 664 wrote to memory of 480	664	chrome.exe	34
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 3036	664	chrome.exe	36
PID 664 wrote to memory of 2444	664	chrome.exe	37
PID 664 wrote to memory of 2444	664	chrome.exe	37

C:\Users\Admin\AppData\Local\Temp\24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe
"C:\Users\Admin\AppData\Local\Temp\24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:2700
- - C:\Users\Admin\AppData\Local\Temp\1000016001\ddf8740ec9.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\ddf8740ec9.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2176
- - C:\Users\Admin\AppData\Local\Temp\1000017001\981c866f6c.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\981c866f6c.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:664
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6e79758,0x7fef6e79768,0x7fef6e79778
        5⤵
        
        PID:480
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1212,i,11182847841338625195,11399655706914633221,131072 /prefetch:2
        5⤵
        
        PID:3036
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1212,i,11182847841338625195,11399655706914633221,131072 /prefetch:8
        5⤵
        
        PID:2444
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1212,i,11182847841338625195,11399655706914633221,131072 /prefetch:8
        5⤵
        
        PID:1212
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1212,i,11182847841338625195,11399655706914633221,131072 /prefetch:1
        5⤵
        
        PID:1020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=1212,i,11182847841338625195,11399655706914633221,131072 /prefetch:1
        5⤵
        
        PID:344
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3232 --field-trial-handle=1212,i,11182847841338625195,11399655706914633221,131072 /prefetch:1
        5⤵
        
        PID:2568
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1540 --field-trial-handle=1212,i,11182847841338625195,11399655706914633221,131072 /prefetch:2
        5⤵
        
        PID:3020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 --field-trial-handle=1212,i,11182847841338625195,11399655706914633221,131072 /prefetch:8
        5⤵
        
        PID:1360

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
63d006483fa85545b1d19801ab04cc87

SHA1
2f6e16fe32d2e13d951c797033900408c38800e3

SHA256
1992352460cfc55d28297865c4d73e02a8903739b187b5b3466e9b0b659180f5

SHA512
9ce1ff222ca5433f12b690f0aab8db80389587741dd85287433e0e566336b71df6fd1aa8334c760711a54388963ee4a5b633a927af4c5437a2085ed3971c12e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9865fd4027a6e6fb4feab4f9592094e7

SHA1
2c425c7453545175565f7206946af4607a4b538d

SHA256
7310bbcb069301c4a213ddd02e276af905aae083f106675638093bc00e8e48a6

SHA512
fd4ebfcd610b24bcb2b46fa2de43685722bdd2db7efd71943b9a60dab23250509c51749b2ff0cc66b05a4455721bac19151859e2f43f78e2d6bb13379dc8f152

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\ddf8740ec9.exe

Filesize
2.3MB

MD5
e97a92bda3e0fa17352c15cceb5c5dd9

SHA1
62ade664c0dc9c774995684e23cf49eaeaf23165

SHA256
459f47d3aa8001b8151726c7e74848d949006a62945915c2a1dcadd02a29b8a7

SHA512
2adec5ed0a453c6ab45cecb72d269d48fcca54fd5edc41f1414d3cebb83bca5fd19bf6a66f2635df1f9d451a044ebc900a5034d8691531d4db7c357feefbf0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\981c866f6c.exe

Filesize
2.3MB

MD5
64f4e045e3d82bf27eb9a38fba2425e6

SHA1
c3a8f3c2725509752d5c9c64ab7e6072c25d3802

SHA256
66485826b251863e06e5409225f935dd7416baef765f0b57baedb919e474d886

SHA512
6899f4e27eef1df5635d231be4bcd4e3d6538590b6e79f92a353173c088a11cbf2527909da5e3c80e61d060722e061f4af18fdde684cd92d54573881fd2176c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
7ee03d405aca43ba9f24b03f3108bc86

SHA1
b9f464590e8092fb33c48b04b2b9b1830486d287

SHA256
24304f4b289b5a0141b07aaf2e586f8a291cb140872e44dd9c4ac4f91b0e98f6

SHA512
fb0a7e97e44581faddd112b1a8055ff4024ce3886d78b0fc431c94dcd9044892aa278e86a304a29399946430a6efc5bc48fb702a2d05c7286bd757412d1fc366

Download Submit
memory/1676-59-0x00000000008C0000-0x0000000000E30000-memory.dmp

Filesize
5.4MB

Download
memory/1676-142-0x00000000008C0000-0x0000000000E30000-memory.dmp

Filesize
5.4MB

Download
memory/1996-5-0x00000000008A0000-0x0000000000D5F000-memory.dmp

Filesize
4.7MB

Download
memory/1996-2-0x00000000008A1000-0x00000000008CF000-memory.dmp

Filesize
184KB

Download
memory/1996-1-0x0000000077060000-0x0000000077062000-memory.dmp

Filesize
8KB

Download
memory/1996-3-0x00000000008A0000-0x0000000000D5F000-memory.dmp

Filesize
4.7MB

Download
memory/1996-10-0x00000000008A0000-0x0000000000D5F000-memory.dmp

Filesize
4.7MB

Download
memory/1996-0-0x00000000008A0000-0x0000000000D5F000-memory.dmp

Filesize
4.7MB

Download
memory/1996-16-0x00000000008A0000-0x0000000000D5F000-memory.dmp

Filesize
4.7MB

Download
memory/2176-42-0x0000000000340000-0x000000000092B000-memory.dmp

Filesize
5.9MB

Download
memory/2176-158-0x0000000000340000-0x000000000092B000-memory.dmp

Filesize
5.9MB

Download
memory/2176-209-0x0000000000340000-0x000000000092B000-memory.dmp

Filesize
5.9MB

Download
memory/2176-207-0x0000000000340000-0x000000000092B000-memory.dmp

Filesize
5.9MB

Download
memory/2176-205-0x0000000000340000-0x000000000092B000-memory.dmp

Filesize
5.9MB

Download
memory/2176-203-0x0000000000340000-0x000000000092B000-memory.dmp

Filesize
5.9MB

Download
memory/2176-201-0x0000000000340000-0x000000000092B000-memory.dmp

Filesize
5.9MB

Download
memory/2176-199-0x0000000000340000-0x000000000092B000-memory.dmp

Filesize
5.9MB

Download
memory/2176-186-0x0000000000340000-0x000000000092B000-memory.dmp

Filesize
5.9MB

Download
memory/2176-131-0x0000000000340000-0x000000000092B000-memory.dmp

Filesize
5.9MB

Download
memory/2176-182-0x0000000000340000-0x000000000092B000-memory.dmp

Filesize
5.9MB

Download
memory/2176-180-0x0000000000340000-0x000000000092B000-memory.dmp

Filesize
5.9MB

Download
memory/2176-171-0x0000000000340000-0x000000000092B000-memory.dmp

Filesize
5.9MB

Download
memory/2176-168-0x0000000000340000-0x000000000092B000-memory.dmp

Filesize
5.9MB

Download
memory/2176-167-0x0000000000340000-0x000000000092B000-memory.dmp

Filesize
5.9MB

Download
memory/2720-170-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-185-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-166-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-155-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-169-0x0000000006BF0000-0x0000000007160000-memory.dmp

Filesize
5.4MB

Download
memory/2720-19-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-43-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-18-0x0000000000C21000-0x0000000000C4F000-memory.dmp

Filesize
184KB

Download
memory/2720-179-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-21-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-181-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-130-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-123-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-159-0x0000000006BF0000-0x00000000071DB000-memory.dmp

Filesize
5.9MB

Download
memory/2720-17-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-25-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-198-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-200-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-26-0x000000000A400000-0x000000000A8BF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-37-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-202-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-58-0x0000000006BF0000-0x0000000007160000-memory.dmp

Filesize
5.4MB

Download
memory/2720-204-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-206-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-41-0x0000000006BF0000-0x00000000071DB000-memory.dmp

Filesize
5.9MB

Download
memory/2720-208-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-57-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download