arkei | 2ce76d4547bb19c7eefbcb1cf9669cc44abd7e565e44e48d10a4cddde8552715

Analysis

max time kernel
137s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 18:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.exe
Size

5.0MB
MD5

360a8874d4d0fe45bf44f54c82ae99d3
SHA1

f145f9c6e1ef7be5e0095d3cd7b6a337e32c25c6
SHA256

e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc
SHA512

7894365f80c2d78d85678eaeb1e2b876749e013b2ac297926ce452a6d304aa5ad408941cbc5b1cf9b31c4242b3eb0ebc39a0f6c94ea81655ac071fc77ad992e2
SSDEEP

98304:8Sir2GLhfKDyTuwdbvLMv4JROOLYG0WU7TKhhd1gonPcMc:LGRKDyTjDMvwOavbQWL1/ct

Score

10^/10

arkei babadeda default crypter discovery loader stealer

Malware Config

Extracted

Family

arkei

Botnet

Default

185.215.113.39/7vlcKuayFx.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Arkei family
arkei
Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cca-452.dat	family_babadeda

Babadeda family
babadeda

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp

Executes dropped EXE 3 IoCs

pid	Process
1084	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp
4268	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp
2156	evreporter.exe

Loads dropped DLL 1 IoCs

pid	Process
2156	evreporter.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evreporter.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "206"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133786732522663250"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5032	WINWORD.EXE
5032	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4268	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp
4268	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp
4068	chrome.exe
4068	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe
Token: SeShutdownPrivilege	4068	chrome.exe
Token: SeCreatePagefilePrivilege	4068	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4268	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe
4068	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
5032	WINWORD.EXE
5032	WINWORD.EXE
5032	WINWORD.EXE
5032	WINWORD.EXE
5032	WINWORD.EXE
5032	WINWORD.EXE
5032	WINWORD.EXE
5032	WINWORD.EXE
4464	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1084	2916	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.exe	85
PID 2916 wrote to memory of 1084	2916	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.exe	85
PID 2916 wrote to memory of 1084	2916	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.exe	85
PID 1084 wrote to memory of 1988	1084	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp	86
PID 1084 wrote to memory of 1988	1084	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp	86
PID 1084 wrote to memory of 1988	1084	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp	86
PID 1988 wrote to memory of 4268	1988	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.exe	87
PID 1988 wrote to memory of 4268	1988	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.exe	87
PID 1988 wrote to memory of 4268	1988	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.exe	87
PID 4268 wrote to memory of 2156	4268	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp	88
PID 4268 wrote to memory of 2156	4268	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp	88
PID 4268 wrote to memory of 2156	4268	e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp	88
PID 4068 wrote to memory of 876	4068	chrome.exe	113
PID 4068 wrote to memory of 876	4068	chrome.exe	113
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 4464	4068	chrome.exe	114
PID 4068 wrote to memory of 3092	4068	chrome.exe	115
PID 4068 wrote to memory of 3092	4068	chrome.exe	115
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116
PID 4068 wrote to memory of 4048	4068	chrome.exe	116

C:\Users\Admin\AppData\Local\Temp\e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.exe
"C:\Users\Admin\AppData\Local\Temp\e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\is-R02KP.tmp\e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R02KP.tmp\e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp" /SL5="$80062,4382530,831488,C:\Users\Admin\AppData\Local\Temp\e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.exe
    "C:\Users\Admin\AppData\Local\Temp\e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\is-BOS3N.tmp\e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BOS3N.tmp\e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp" /SL5="$90050,4382530,831488,C:\Users\Admin\AppData\Local\Temp\e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.exe" /VERYSILENT
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4268
    - - C:\Users\Admin\AppData\Roaming\Ev Reports Management\evreporter.exe
        
        "C:\Users\Admin\AppData\Roaming\Ev Reports Management\evreporter.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2156

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdf7b7cc40,0x7ffdf7b7cc4c,0x7ffdf7b7cc58
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,14583492443746944112,1583059095218324358,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,14583492443746944112,1583059095218324358,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,14583492443746944112,1583059095218324358,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,14583492443746944112,1583059095218324358,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3300,i,14583492443746944112,1583059095218324358,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,14583492443746944112,1583059095218324358,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4704,i,14583492443746944112,1583059095218324358,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4508 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,14583492443746944112,1583059095218324358,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5064,i,14583492443746944112,1583059095218324358,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:4392

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3728

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ClearInitialize.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38eb855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d77a20c5343da328ed7a27901f829ff0

SHA1
bd9893bf5223acec3181b0935d90099f4d0f70d4

SHA256
531d41fef34afe2d18de7b6fe0904069c009e2f5b245ad218504643fb53ce7f2

SHA512
0e1c7248f2b7b2dd3451c4cf38e55942798d4f26637a80cbe47d17a68c81d8ee8ff9554274508b124c303a5aa259e0bb9606372905da1c23f7519d6969a5c701

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
f9ef17b617096e7dfa3887c182bd4a36

SHA1
c81546efc157397e4b093f7c4fa618a8331ea1fa

SHA256
b1ae50d6674cb3b373cc3129ed0a714d3b9041b7989a5a20879fb747e9540593

SHA512
e6ed030d44a4933560b81f3eec3e554d5c39ce1f29620859bc91504887516d2403d0e2f69e362b29a420459b3aae444b06a7611e5fe819465e66a377f3852d9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
21d53556879d762835b04ad3c0926d54

SHA1
976df36ee35f336a2aa2e56922a315ce254d6a7c

SHA256
69d008c75d00c59bc2e77f73befc5012fd4df79da1104f7a5212af55018899e6

SHA512
eee9e62ae883d31387631e39dc303d06aa8df38c6ab67e2009a12d30c7128a0de9cb25768a6f186224f2fd80167742bda8e1898ba3f204d9f640d3bfd6c41867

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
68aa7b7d26ff17d62dc828cc695edd67

SHA1
720e7ddba96e006572590f864670b0195596586e

SHA256
4c63afcee05659e211f3b913ce080362ef7117b80467a0518312793abde02ca0

SHA512
2ce7dcd9ec1d7d7ca094bfcb977d18a0ac9d04084096ad575d826c0e53ee808c1e6b9658a0bdc93301c4bc6017b7fb91c51f95143568db8e1af45d18b55f50d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
970e9e60d37c14739cc796e19c3aca9f

SHA1
171c4bc076127d2d0e15edae9684a6be852ebafb

SHA256
ad6cc8dfa4eb71b08765749f2c21bbc7ccb83bb903e778597057047e075fc7db

SHA512
e13748387dcb1da508b3dbf0bca5541fe55b6cac4b857841f893c44951aebe50c3a2e9a3e26a1b8cd8d090e88804663adf849b0a676e1cf1d7991594b57af065

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
15f82ce3e15de0e8fd214f7e52cd5dc7

SHA1
5d65b077d181fcb8fcf03cad811829c7ce9d1a36

SHA256
dbc9faad7730b3683ac9032e8fd3893a35e548e56eaba09aa1c6d5d848d3c9e5

SHA512
c9473835bf78ccbfd347c0e89b5819293cc3622f379cb7da2f5d93097abcd3fc2812b3abcedff78ded873c9d45ce08484f114b46dd11d3886ca2a1ce803dc966

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
cfcb54bf24861dfb17ea1cced8e9b56a

SHA1
9761e25fd3daf8a5918c0ff58b7024433acec12c

SHA256
7b59ca99bf944b4aa48bc999b64372c3d0931626d8cca0605d167e2d7a790c9a

SHA512
f3c305b97dc1b6562c0654416fdc50b3bf67b4543e5fe6969d0f5f4ab263f65d495c8886a01d77fcd661a0a9261f08579e4b81d6f4ba006e3af692435f6e81ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
6ed7297b858ef389b605927a19016688

SHA1
62c08d98603cf2960b36c9d3d37160afdd4254d6

SHA256
1307142768edb3776e1efbed7466f9ccd9dd68f238950a9fc63969084ceee022

SHA512
e3361cfa0fd45a964c13db7b7a340b5a6630b2d50925727cd2daff521fc17e897f2482b136d8f3edf90f7a7f03b99ca7749e9248ac524167d6d02b520e59fb2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
b520744c5d0634d983ca682e533b4403

SHA1
8c4a640e082fdbc975f9f8c6a3aef0078943dab2

SHA256
bae09b3193a2e977a0138dd2949a3d10145d61061b79026f0d4a233ae7c8d6eb

SHA512
f1f06dfae6cf7cb77f31a7f0251bcf98b91931ee477e0961868ba608af33ec79035b6cf9b6c1e595da57abc0cf9e48f83e16350ff4d4e3a00dc24095e37539ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R02KP.tmp\e80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc.tmp

Filesize
3.0MB

MD5
19d3e925bd3944acf03a70e2da39e46f

SHA1
b7710e87fecbd6abf2d1e60cfdf4f524f184850a

SHA256
4d1fb84d2034c51f62e6e895e246d423f7b4fb2f1c2817a1aafc0a9c2cd68dc6

SHA512
241e6cdbbaf70101e707599cad2df08948a1bbc0ae554719e8cf58d713a89b6e06bbe1911baf0a0488a92f55520828c7a5f5ff6459bac499bff07ae13eee40f0

Download Submit
C:\Users\Admin\AppData\Roaming\Ev Reports Management\evreporter.exe

Filesize
5.2MB

MD5
60c37f73b6d60884ad028ef1f026ddd7

SHA1
85409616ded051ccbe2a2854bc0c2be9a2166a14

SHA256
a7aa2196fdf652c469f5bbe4122f6bdddb6e3dd91a48e63181491f95fe102660

SHA512
cb4286729dc7e7fa901430ddd3f16e248372e94ad4a6e166ede1582e2486158c71b4c1bd4c8f4302622a308dda1caf46fbee5ec3c4f95fd7b4ea820a82f1a177

Download Submit
C:\Users\Admin\AppData\Roaming\Ev Reports Management\swresample-1.dll

Filesize
2.2MB

MD5
099e471203758f7653160a6f9f227d8d

SHA1
8246f4331f9aa47d2f9de96baafe2d1cf9bfa254

SHA256
eb9a87fc1b24a0e0476b34bfe4f22e0683f699bab9e7e50f42e3ae10c76c025b

SHA512
b7c7747277125ebc22ddc4f350212312ef6945a8f524b1f3088364c3c7b8618f480739c870037adc225c15db4887240b663c7e9d1657950171eba5ad76b3bbae

Download Submit
C:\Users\Admin\AppData\Roaming\Ev Reports Management\ui

Filesize
304KB

MD5
95518f5e98099572bede73302c79c7bd

SHA1
6168202123dca8fbc4a8e688561b5b18d51a462e

SHA256
115a380ecb81d1ddaa1c913c8ac6a1142400d22526ce979ed1a3d0a75ebf2e7a

SHA512
a0899e422b550498676b94aa9c9f59dfd5e0f6813e041f3e297698d5daa3501b186fc4a10e292f4ba445f7573d569f99a3916f4ee1f619df41492d4c2efee5e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
393B

MD5
3affd8c3201b69b9a403d0f44d9e01b7

SHA1
97a324ff0a99d70360b3425662cb38ad4b5f37a6

SHA256
d79bd9db70191eb5e6897f4c01cf3065e9dedaa59bc4826dc73a1ed987fa6ee4

SHA512
8b7aa5d74961c64de8da34bc703dcfff0570827599b15aa22a93c6b11b93bd9ae19c0d488bd1830c835da47d8e7b87de1ca62db71ac847c8dab2d6530e84cb58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1084-13-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/1084-6-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/1988-11-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1988-9-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1988-458-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2156-459-0x0000000000400000-0x0000000000BBD000-memory.dmp

Filesize
7.7MB

Download
memory/2156-453-0x0000000000400000-0x0000000000BBD000-memory.dmp

Filesize
7.7MB

Download
memory/2916-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2916-16-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2916-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4268-19-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4268-455-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/5032-649-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp

Filesize
64KB

Download
memory/5032-653-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp

Filesize
64KB

Download
memory/5032-652-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp

Filesize
64KB

Download
memory/5032-654-0x00007FFDD2C20000-0x00007FFDD2C30000-memory.dmp

Filesize
64KB

Download
memory/5032-655-0x00007FFDD2C20000-0x00007FFDD2C30000-memory.dmp

Filesize
64KB

Download
memory/5032-651-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp

Filesize
64KB

Download
memory/5032-650-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp

Filesize
64KB

Download
memory/5032-712-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp

Filesize
64KB

Download
memory/5032-713-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp

Filesize
64KB

Download
memory/5032-715-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp

Filesize
64KB

Download
memory/5032-714-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads