amadey | a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9

Analysis

max time kernel
149s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
21-06-2024 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9.exe
Size

1.8MB
MD5

292e92c073b8dab8ed455ac830a5d5f1
SHA1

b5c675a891771cdd37ed88e20df96c101b57523b
SHA256

a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9
SHA512

3760ed865b28eaeced16df2f16d2d9ab3c4415a2c73b0d7e90c50dd4a98579da5625db8664dd0b09a015ac522f8aadd030f9cdd624b2a9fbdee70aa3fff16406
SSDEEP

49152:LdCZ3nSfF1FO0A/BmbK7Vobh4y78DA4CHNBdm/:LUZidHlG7YmHDA4CC

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6424f18c1a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	789112f145.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	789112f145.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6424f18c1a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6424f18c1a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	789112f145.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Executes dropped EXE 5 IoCs

pid	Process
3620	explortu.exe
3028	6424f18c1a.exe
3856	789112f145.exe
2848	explortu.exe
2160	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	6424f18c1a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	789112f145.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\6424f18c1a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\6424f18c1a.exe"	explortu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3856-117-0x0000000000DD0000-0x0000000001328000-memory.dmp	autoit_exe
behavioral2/memory/3856-147-0x0000000000DD0000-0x0000000001328000-memory.dmp	autoit_exe
behavioral2/memory/3856-155-0x0000000000DD0000-0x0000000001328000-memory.dmp	autoit_exe
behavioral2/memory/3856-156-0x0000000000DD0000-0x0000000001328000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4756	a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9.exe
3620	explortu.exe
3028	6424f18c1a.exe
3856	789112f145.exe
2848	explortu.exe
2160	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634166883279170"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1276817940-128734381-631578427-1000\{58BEB558-3721-491A-B18A-B87A19FABF38}	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4756	a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9.exe
4756	a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9.exe
3620	explortu.exe
3620	explortu.exe
3028	6424f18c1a.exe
3028	6424f18c1a.exe
3856	789112f145.exe
3856	789112f145.exe
244	chrome.exe
244	chrome.exe
2848	explortu.exe
2848	explortu.exe
2160	explortu.exe
2160	explortu.exe
4436	chrome.exe
4436	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe
Token: SeShutdownPrivilege	244	chrome.exe
Token: SeCreatePagefilePrivilege	244	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
3856	789112f145.exe
3856	789112f145.exe
244	chrome.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
244	chrome.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe
3856	789112f145.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 3620	4756	a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9.exe	80
PID 4756 wrote to memory of 3620	4756	a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9.exe	80
PID 4756 wrote to memory of 3620	4756	a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9.exe	80
PID 3620 wrote to memory of 4884	3620	explortu.exe	81
PID 3620 wrote to memory of 4884	3620	explortu.exe	81
PID 3620 wrote to memory of 4884	3620	explortu.exe	81
PID 3620 wrote to memory of 3028	3620	explortu.exe	82
PID 3620 wrote to memory of 3028	3620	explortu.exe	82
PID 3620 wrote to memory of 3028	3620	explortu.exe	82
PID 3620 wrote to memory of 3856	3620	explortu.exe	83
PID 3620 wrote to memory of 3856	3620	explortu.exe	83
PID 3620 wrote to memory of 3856	3620	explortu.exe	83
PID 3856 wrote to memory of 244	3856	789112f145.exe	84
PID 3856 wrote to memory of 244	3856	789112f145.exe	84
PID 244 wrote to memory of 2920	244	chrome.exe	87
PID 244 wrote to memory of 2920	244	chrome.exe	87
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 988	244	chrome.exe	88
PID 244 wrote to memory of 4484	244	chrome.exe	89
PID 244 wrote to memory of 4484	244	chrome.exe	89
PID 244 wrote to memory of 1560	244	chrome.exe	90
PID 244 wrote to memory of 1560	244	chrome.exe	90
PID 244 wrote to memory of 1560	244	chrome.exe	90
PID 244 wrote to memory of 1560	244	chrome.exe	90
PID 244 wrote to memory of 1560	244	chrome.exe	90
PID 244 wrote to memory of 1560	244	chrome.exe	90
PID 244 wrote to memory of 1560	244	chrome.exe	90
PID 244 wrote to memory of 1560	244	chrome.exe	90
PID 244 wrote to memory of 1560	244	chrome.exe	90
PID 244 wrote to memory of 1560	244	chrome.exe	90
PID 244 wrote to memory of 1560	244	chrome.exe	90
PID 244 wrote to memory of 1560	244	chrome.exe	90
PID 244 wrote to memory of 1560	244	chrome.exe	90
PID 244 wrote to memory of 1560	244	chrome.exe	90
PID 244 wrote to memory of 1560	244	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9.exe
"C:\Users\Admin\AppData\Local\Temp\a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:4884
- - C:\Users\Admin\AppData\Local\Temp\1000016001\6424f18c1a.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\6424f18c1a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3028
- - C:\Users\Admin\AppData\Local\Temp\1000017001\789112f145.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\789112f145.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:244
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffbf2cab58,0x7fffbf2cab68,0x7fffbf2cab78
        5⤵
        
        PID:2920
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1800,i,2186738132506050107,17016516070357125569,131072 /prefetch:2
        5⤵
        
        PID:988
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1800,i,2186738132506050107,17016516070357125569,131072 /prefetch:8
        5⤵
        
        PID:4484
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2124 --field-trial-handle=1800,i,2186738132506050107,17016516070357125569,131072 /prefetch:8
        5⤵
        
        PID:1560
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1800,i,2186738132506050107,17016516070357125569,131072 /prefetch:1
        5⤵
        
        PID:4820
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1800,i,2186738132506050107,17016516070357125569,131072 /prefetch:1
        5⤵
        
        PID:4008
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4200 --field-trial-handle=1800,i,2186738132506050107,17016516070357125569,131072 /prefetch:1
        5⤵
        
        PID:1564
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3324 --field-trial-handle=1800,i,2186738132506050107,17016516070357125569,131072 /prefetch:1
        5⤵
        
        PID:3980
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4452 --field-trial-handle=1800,i,2186738132506050107,17016516070357125569,131072 /prefetch:8
        5⤵
        
        PID:4568
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1800,i,2186738132506050107,17016516070357125569,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:2964
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1800,i,2186738132506050107,17016516070357125569,131072 /prefetch:8
        5⤵
        
        PID:3136
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4948 --field-trial-handle=1800,i,2186738132506050107,17016516070357125569,131072 /prefetch:8
        5⤵
        
        PID:4388
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=1800,i,2186738132506050107,17016516070357125569,131072 /prefetch:8
        5⤵
        
        PID:5040
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2776 --field-trial-handle=1800,i,2186738132506050107,17016516070357125569,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4436

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2848

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
102ddf0637f21235c4f6d6cdb88944eb

SHA1
7dc87eb9e196c2a27fbd30ea6d6942dbef7fc2c6

SHA256
80381c4046236d59c1295426bd30340764400fa3e3f6f55bb5fdf96422c1567b

SHA512
215e15b8f76cb00cdd51f46e810deb41f94a49743b562300fcfbd0dee2feca7a772ff3fcdda6c5c9987eff6324a684fe4de6cf65551c71196cdecdfe0705794d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
659ae11193dd836288f65f925f9f52fc

SHA1
c188c9ae01d3dfde5456a5614a82abedd38e3c70

SHA256
d8a28cde329dfc9e8b9107e8278dba0907412d40fc9b117009efd26421ff8a42

SHA512
e4534ee73e0a398be0071933832638798dd382f1773f7b3eaba967ccb239be44c4539307f761963a2b2257df475cb77851ff9eb9d81ff7b42998fac5cf132af7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
70a0c96b37e390cf5ee1d6bf3c6a7ca9

SHA1
74f27329de61e524e9de853e870c890b7c0d0160

SHA256
9ef746c6e6c6ccefbe3d9475045787c662f4411fcb53f74351a5605e63abb5de

SHA512
1271dc191cb10e6d56742a9aed6bcb4bb85b6576332cac183ab5266b7d1373e34fe2ef21715aa78e6b4eddbb2a150e4d1968c2531cdfe08ae03b941e9d087e8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
d64d26bd90b3f0887e95cded31e329ba

SHA1
31bb466ec53f6d5c37cb01391c2d70bc7e11bae4

SHA256
c3d963627e269143db4386443c9a0d0881240a20f808c99e59ca7a52e1589d16

SHA512
41ad16902dfd7a0d35e4dfad657928006e027a268e398852cd6ddd4e5b6eef92c3be24b6940b8324141de145124da2149552288248b506b7a8b28cbfee720887

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
60f43cbf1e041aadb964198819ef89c1

SHA1
2fe0445996b703ce6bdcee9fc1e7cab7743bea93

SHA256
fc64cba25670fea160ca2e79123b3c96cf627c9b628aed52e2a3fc1ab08a4fd0

SHA512
d19976205f7d1d39ab358232eb7386ce1058244872b00f686770a9ed0df9210d7ad4191dcb12df21ec4cfa8fcc717f42cce4b949e06408573a306dfb04fcfc7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
06340402e758968adbb81878f9c92bfe

SHA1
30fe5aefa2ac326c8b5dcb410e28eac773fa53f7

SHA256
faddfbac4a74a5ce34e8ea6fbd32ef756dec71d85afe2fccbb0cdf12daf681fd

SHA512
08f2775c03755e42f632c8b0575a3a70817569258284575fbf7c90d30103531d6b12d7a55aa18c2b2505f2ba83e12ec858d1bbb9b9d1ca900e3e3bb8786ba7ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
6fa493a98f3240d718961a86c2d24e2e

SHA1
8ed4a5243b9de718a6bd7665ed920bbdce39adda

SHA256
3f746b0a78234765760c4ce3eabe2645964bdd3191c704c80da4e7c333a09ed6

SHA512
564e58dbf1da75d6b70072a68d597a90b0571494ad14425f246468c9f554c75a75aa4af0734033860c1999c8947edf7f231b1dec67fe1b7983932dda0e492c23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
278KB

MD5
e5f09bcc706b8e97713497353df23ed3

SHA1
e79f62a0ade3b4e5b5503288e5ac9b7ffa43fcac

SHA256
0230603a90048140cef72e405184bb1d705b6bb2af9f44f457cd88ac241d051b

SHA512
f4d58a65e138062ef3ea15d98a3f798e7743dfebc2a3c98f93fc269772a0c3144c724c2c1fe07504b1b81358a225fe575077d29a61fc83be396f4a41bd8f1ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\6424f18c1a.exe

Filesize
2.3MB

MD5
f8fb0a1de80d6cee05b3585f9a018015

SHA1
a621103c72001152ef2d02fa656afdb2672f6de5

SHA256
867b33a78f93e697c5a2059054f04126233d72223e9418172e55ea7949eb0aa4

SHA512
a73fa7306a34595e2cd02dacb9e01e7b956bfd434440a6481d85c7762d19df228cc860ee8987ea8cd5ecaea96e80487b1ab04f03e65c1f968b21f7acc453c6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\789112f145.exe

Filesize
2.3MB

MD5
848b4d2bb61631105a4b577e0d79c74e

SHA1
e311411b1d6227f2fb5a7fbf8a627eef12d63075

SHA256
434774c5981854d28d66af1c9f726b0ca379aa6b53ac79d1ff23b6d285dbe664

SHA512
47f39fd4b7758ef4b55c02800b220eae16578fd6c194bf904f4f4d75f6e5e72a3a38620854f9432f4ef20fd5a632f5d8496a4be34926391211994cae3d91d28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
292e92c073b8dab8ed455ac830a5d5f1

SHA1
b5c675a891771cdd37ed88e20df96c101b57523b

SHA256
a82f6884648f36314e6117a91e87b2f98dc2ed513064acdff36390e504f104f9

SHA512
3760ed865b28eaeced16df2f16d2d9ab3c4415a2c73b0d7e90c50dd4a98579da5625db8664dd0b09a015ac522f8aadd030f9cdd624b2a9fbdee70aa3fff16406

Download Submit
memory/2160-210-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/2160-211-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/2848-162-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/2848-160-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3028-204-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3028-206-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3028-233-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3028-222-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3028-215-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3028-213-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3028-42-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3028-209-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3028-116-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3028-179-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3028-176-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3028-146-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3028-148-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3028-174-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3028-163-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3028-157-0x0000000000D80000-0x0000000001380000-memory.dmp

Filesize
6.0MB

Download
memory/3620-21-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-19-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-134-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-138-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-178-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-18-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-20-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-173-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-232-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-175-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-154-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-118-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-158-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-221-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-108-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-203-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-214-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-205-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-137-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-207-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3620-212-0x0000000000730000-0x0000000000BEB000-memory.dmp

Filesize
4.7MB

Download
memory/3856-60-0x0000000000DD0000-0x0000000001328000-memory.dmp

Filesize
5.3MB

Download
memory/3856-155-0x0000000000DD0000-0x0000000001328000-memory.dmp

Filesize
5.3MB

Download
memory/3856-117-0x0000000000DD0000-0x0000000001328000-memory.dmp

Filesize
5.3MB

Download
memory/3856-147-0x0000000000DD0000-0x0000000001328000-memory.dmp

Filesize
5.3MB

Download
memory/3856-156-0x0000000000DD0000-0x0000000001328000-memory.dmp

Filesize
5.3MB

Download
memory/4756-2-0x0000000000A31000-0x0000000000A5F000-memory.dmp

Filesize
184KB

Download
memory/4756-3-0x0000000000A30000-0x0000000000EEB000-memory.dmp

Filesize
4.7MB

Download
memory/4756-0-0x0000000000A30000-0x0000000000EEB000-memory.dmp

Filesize
4.7MB

Download
memory/4756-5-0x0000000000A30000-0x0000000000EEB000-memory.dmp

Filesize
4.7MB

Download
memory/4756-17-0x0000000000A30000-0x0000000000EEB000-memory.dmp

Filesize
4.7MB

Download
memory/4756-1-0x0000000077186000-0x0000000077188000-memory.dmp

Filesize
8KB

Download