risepro | 90d5d95b3abb09600ea39b9a58968705967cf7747dd18208fb8220c249002725

Analysis

max time kernel
181s
max time network
180s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
15-09-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vxvault.net_0.exe
Size

2.7MB
MD5

d6d04c68b02e6fe72a3ed55ebd36bff0
SHA1

ebf3917deb2d30f95ffedd89bdff3adbc85d74bb
SHA256

90d5d95b3abb09600ea39b9a58968705967cf7747dd18208fb8220c249002725
SHA512

d640502f3e0bbc941c2082f3ebfa805dea8a4d5007b724544c2d7f7af9c96bb766f8e28ce3654adbf273b22c0d54c5e3d241257c4a2936ef781ef2ae9e6ece66
SSDEEP

49152:7RpKlE0flBGyaS+vo+O8KYv5KLSlXIH4lHW5ubiug0+v3N8G:lSBGyaRvog4LSlE4euby9d

Score

10^/10

risepro discovery evasion stealer themida trojan

Malware Config

Extracted

Family

risepro

193.233.132.226:50500

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vxvault.net_0.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vxvault.net_0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vxvault.net_0.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral3/memory/4756-0-0x0000000000D90000-0x00000000014F8000-memory.dmp	themida
behavioral3/memory/4756-5-0x0000000000D90000-0x00000000014F8000-memory.dmp	themida
behavioral3/memory/4756-6-0x0000000000D90000-0x00000000014F8000-memory.dmp	themida
behavioral3/memory/4756-4-0x0000000000D90000-0x00000000014F8000-memory.dmp	themida
behavioral3/memory/4756-8-0x0000000000D90000-0x00000000014F8000-memory.dmp	themida
behavioral3/memory/4756-9-0x0000000000D90000-0x00000000014F8000-memory.dmp	themida
behavioral3/memory/4756-7-0x0000000000D90000-0x00000000014F8000-memory.dmp	themida
behavioral3/memory/4756-10-0x0000000000D90000-0x00000000014F8000-memory.dmp	themida
behavioral3/memory/4756-11-0x0000000000D90000-0x00000000014F8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vxvault.net_0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4756	vxvault.net_0.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vxvault.net_0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133709003969917859"	chrome.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4756	vxvault.net_0.exe
4756	vxvault.net_0.exe
4688	chrome.exe
4688	chrome.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
4688	chrome.exe
4688	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeDebugPrivilege	2336	taskmgr.exe
Token: SeSystemProfilePrivilege	2336	taskmgr.exe
Token: SeCreateGlobalPrivilege	2336	taskmgr.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe
2336	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4468	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 3940	4688	chrome.exe	95
PID 4688 wrote to memory of 3940	4688	chrome.exe	95
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 4948	4688	chrome.exe	96
PID 4688 wrote to memory of 2296	4688	chrome.exe	97
PID 4688 wrote to memory of 2296	4688	chrome.exe	97
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98
PID 4688 wrote to memory of 1708	4688	chrome.exe	98

C:\Users\Admin\AppData\Local\Temp\vxvault.net_0.exe
"C:\Users\Admin\AppData\Local\Temp\vxvault.net_0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2008

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2956

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3056

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84f25cc40,0x7ff84f25cc4c,0x7ff84f25cc58
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,12810024695614949955,291016588097367236,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1660,i,12810024695614949955,291016588097367236,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,12810024695614949955,291016588097367236,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2336 /prefetch:8
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,12810024695614949955,291016588097367236,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,12810024695614949955,291016588097367236,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4480,i,12810024695614949955,291016588097367236,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4436 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,12810024695614949955,291016588097367236,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4476,i,12810024695614949955,291016588097367236,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4364 /prefetch:8
  2⤵
  PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=212,i,12810024695614949955,291016588097367236,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4336 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3728,i,12810024695614949955,291016588097367236,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:1904

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4844

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\56f9a685-77dc-47d0-b1b5-39fbb1f40417.tmp

Filesize
9KB

MD5
14cad355d8c22d04fead21f473bd4b56

SHA1
9ad7e0504d377f15ae6c9d5f3fb48044e2fad9fe

SHA256
55e850eb08d62f9064af5469e3078b79821672114cbb970dca04afdb68a0e814

SHA512
085af98428117e2cbead071029627fc1fb85e843f64edf4a279f32f0409a4ab38ff88bc7672827d153bfe412c2ba7a2b3c94ad6db5a8afc53b3267711f52eea8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
869a2fbc09063d277c6a1e29cd8202e0

SHA1
cb64756fdde96429d81409826228acdd956e60e9

SHA256
7f09db02892ad3834fa91594bb68e57380a1c712953efbaab355c6eead380b69

SHA512
b35e5210c1ef5dced5904d6ce190b4b7305ec3b0564a9b4f752175f6a386e162b341d6c64ed25018439a2b9e182261ea332d8d9e9433b0b806cfe801fe34d186

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b21138ae8266f2a1959a0036819bb1ba

SHA1
a82777e4a2e72bb27ba37ab3f71566611e5e51e4

SHA256
ae6d1cb3dc318beba4e19c1cd6b764cfd315d7d66213866469d95219c2319830

SHA512
3b0249a9ac08ca3e31de90d9b44cb1c58897ae4111f6ca716705b16d017ffb1262a352214bade0e8c74e0b3be58e06f289255ea8232c7c32c40df9f2c6af4767

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8bc41cd259cbbae7bcd83d7d8d501db8

SHA1
bd40e955f5355f654dc6656b16c0702a6980d031

SHA256
82c54db63b682021313dbfc9a8fca826a0cadd212eb52c3b4972620b5f0a0dff

SHA512
cfaba446d05323c76a1cd525a0b476a22ebe5e8e67fe7347508d7f55239f7bd6b56a55a5f16cde2a4dd7022c2a519b5167720db923dcd346e40b0c83359ffb73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
681550c4671533e26d6e7f94b3117c5d

SHA1
ac77189f70f0bff47fe972bad3e644e620e32c2b

SHA256
61cbfb699a1385dcf98e37279d1fec3124a1bd08e31b5d24d0db9ef026e3ad27

SHA512
dfbe96e0068a8caaff3706e458a84d5c95e91434904ba34cf2db24f8b3f20237f9b75be69006f63ce5c99a0432465c1d70b933398c3fef6a8f4a8f554ebd1528

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6e2a863f81ea0b7d96676706075fffec

SHA1
9796f875d6e99552ce56a6bb1362451939806c15

SHA256
d5d64f3da9c92c613845b0d641549f8166c0e442d597d85e942ab46c0e725b28

SHA512
2eb98a5b76cc2789eca39441c9e16b7be4503711d76e3a6c70c8ff6d248849b94f400c9e487e8f69073d75a9494f6313e9eb34563021b8efa266f007e0678c96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5cb3b8f8e8775db05661fbf22f47e210

SHA1
38207100b7bb32d3935cfe8c7efe329eeb0fed09

SHA256
cee2e36b4cf5bde5d5798c77e1133858964684fe46104b6b200db3dd0d62de53

SHA512
211174ec5421cbd927111f562fca0de0515c0f70fd791ba66104a2455765a3924399d85e6dfc113505500835da423f0ed3cbe9124723260bbd72a9028cb87d2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8ce31ad8a87305c68e1f88c95fcbab45

SHA1
1fd03667321079c615b25e3506bc26d7d655db36

SHA256
754522a57dc6a743a3f56a4032dfbbc846d0b356688436711a9ee3bb6e0fbf48

SHA512
65cfe3710ec8b8d5b7e02f8b0fc74cb956c2889f9e3332a3aeadf36eecbde35cafc78e1cab6b0fc8db98d2f0782f354397247ef5b3782ed571c61696f1258cc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
03e8336a87ad82c6da6c1f1be59bb3b5

SHA1
d331b1ac9aeee9f98018f958a9b09ea663f48d72

SHA256
bbb9aa5742ea7b9c22aeba3631120279be69f79c7f28f5480f27e0f14df23e16

SHA512
26446e465d57c26517dfb798d54018e625972fa6bc9c9eb0c7ae75e751c33cd1dc730930aa1768848d1e0d51ed5874821e8a193f81cdce30b77f868de73c4f1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
f2c1cc3ee4a682476107ccac5eeed6f3

SHA1
59cdc5a3b35004f4886121455ad96013317807ee

SHA256
d3e4e496bb53fd3491b76e99aafce22fa2ae50395bd83e75810c08ff9f22c3ea

SHA512
afe035f2c5ebe583c448aca5c7cd7da37482f788e13b2e10011c3bc7529898fbb800a7e9ee40e14341cadc05cb0a00bfd357d0c6716beda9b1417550a1ba90c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
210KB

MD5
f59517cb13308db01ac1e57e6883c140

SHA1
03687a1cdcd32e8c270bfb363916fa62d04a6b5d

SHA256
40664c7527d38bf62a0dbf9c73601c2f5f8a631da73d36d79acc8e145cb2355d

SHA512
ca9231970e0c054aa902fa166fcbecb351350a08d89f016a68e0ac09c5b06d150f6163bdb61fc2af7363973a656c57209722c837567182e809acca8b019a8563

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
210KB

MD5
1c947d82ad848ed272e8c54bca1a8c7a

SHA1
af56a8fc3a1bf6585c80c468e552b35398938c53

SHA256
3e09f03182de042f194d031b16189e84753ad9908eccd73bc752ab30ca17e123

SHA512
02dbd12e8547abde6f6231afa7d5106bcd6853e3871adfe813589736e709aaeb16e8215574bedb5294d0c5a438f59c5e7a16e72a32ddafe9157ab9e674999abb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
239KB

MD5
791c8ebd5cf0c3311a079f31d9b5811c

SHA1
20cb33bdd8286f588e75b1f4d1d3ca0008307254

SHA256
273b9fdb5a9bbb5c21026a188f5a3e90c21a8c057060cd8316f7babebb9c826b

SHA512
61cb12c6ccfa0f76a49aa3ba4f878cf62d869118b7b333c951d0f0ef1f0ffeb78db3ed856162128aa471797c9a0f16426b1a9153186c8833439592281edd4e28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
239KB

MD5
5ac860f53de9275c96813d03f4e30f61

SHA1
97ac6c4efa818b6e5eece877fa511cf89cb5eac0

SHA256
065ddcf40ea30753118b72312e3f904f80fd7a8d3330e222478864ed6583b30f

SHA512
5694527ed38c2308e45e10b0fa205c9f5fc02cfc434ec955df4e860749283a4360b0f0c35a02a1ceacb5890818517e87087988b2dd3e5f3f59f357d1b83e7183

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
d9e1270d710802f1847f70470f56ff33

SHA1
5a47d53993b5c87b547d21cd62c5f0ec01017aa5

SHA256
17e201d988504c37374646e73f0cdfb38170dba75cf092f61fd46f7ce4cbf635

SHA512
88e2bea3bc3a8b5ac2a2a6bade6431e495e3102ab816fb9f3d55d17753f72bf900a7f6439ca9ef0262451c3d686e89302a3ca2afb7dbddfa17899e84f87405a2

Download Submit
memory/2336-114-0x0000013CCEAC0000-0x0000013CCEAC1000-memory.dmp

Filesize
4KB

Download
memory/2336-102-0x0000013CCEAC0000-0x0000013CCEAC1000-memory.dmp

Filesize
4KB

Download
memory/2336-109-0x0000013CCEAC0000-0x0000013CCEAC1000-memory.dmp

Filesize
4KB

Download
memory/2336-110-0x0000013CCEAC0000-0x0000013CCEAC1000-memory.dmp

Filesize
4KB

Download
memory/2336-111-0x0000013CCEAC0000-0x0000013CCEAC1000-memory.dmp

Filesize
4KB

Download
memory/2336-113-0x0000013CCEAC0000-0x0000013CCEAC1000-memory.dmp

Filesize
4KB

Download
memory/2336-112-0x0000013CCEAC0000-0x0000013CCEAC1000-memory.dmp

Filesize
4KB

Download
memory/2336-108-0x0000013CCEAC0000-0x0000013CCEAC1000-memory.dmp

Filesize
4KB

Download
memory/2336-103-0x0000013CCEAC0000-0x0000013CCEAC1000-memory.dmp

Filesize
4KB

Download
memory/2336-104-0x0000013CCEAC0000-0x0000013CCEAC1000-memory.dmp

Filesize
4KB

Download
memory/4756-0-0x0000000000D90000-0x00000000014F8000-memory.dmp

Filesize
7.4MB

Download
memory/4756-14-0x0000000076950000-0x0000000076A40000-memory.dmp

Filesize
960KB

Download
memory/4756-10-0x0000000000D90000-0x00000000014F8000-memory.dmp

Filesize
7.4MB

Download
memory/4756-16-0x0000000076950000-0x0000000076A40000-memory.dmp

Filesize
960KB

Download
memory/4756-11-0x0000000000D90000-0x00000000014F8000-memory.dmp

Filesize
7.4MB

Download
memory/4756-12-0x0000000076966000-0x0000000076967000-memory.dmp

Filesize
4KB

Download
memory/4756-13-0x0000000076950000-0x0000000076A40000-memory.dmp

Filesize
960KB

Download
memory/4756-7-0x0000000000D90000-0x00000000014F8000-memory.dmp

Filesize
7.4MB

Download
memory/4756-9-0x0000000000D90000-0x00000000014F8000-memory.dmp

Filesize
7.4MB

Download
memory/4756-8-0x0000000000D90000-0x00000000014F8000-memory.dmp

Filesize
7.4MB

Download
memory/4756-4-0x0000000000D90000-0x00000000014F8000-memory.dmp

Filesize
7.4MB

Download
memory/4756-6-0x0000000000D90000-0x00000000014F8000-memory.dmp

Filesize
7.4MB

Download
memory/4756-5-0x0000000000D90000-0x00000000014F8000-memory.dmp

Filesize
7.4MB

Download
memory/4756-3-0x0000000076950000-0x0000000076A40000-memory.dmp

Filesize
960KB

Download
memory/4756-2-0x0000000076950000-0x0000000076A40000-memory.dmp

Filesize
960KB

Download
memory/4756-1-0x0000000076966000-0x0000000076967000-memory.dmp

Filesize
4KB

Download