amadey | 8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
21-06-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4.exe
Size

1.8MB
MD5

562d0283cd0e5f9e3e4fd6fb15583a12
SHA1

1743aea9f5ac8504c3846270e3d7121813a37fd6
SHA256

8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4
SHA512

d229e570c3d557e94cd406dd90342ab32f3ecd60aac2074ac9d252035aa46b9fa6baf35fc04ef14535027508df6bff830c1007f924ba0bd7f099c00389fa2a1e
SSDEEP

49152:YYhh+Iu/+tWDOQZqL/9pGnOktiT1dGiMNUbu:Fhh+44OQ8L/6nztKdKNz

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0b93b41b11.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3140abd237.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3140abd237.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3140abd237.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0b93b41b11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0b93b41b11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Executes dropped EXE 5 IoCs

pid	Process
2080	explortu.exe
3484	3140abd237.exe
3268	0b93b41b11.exe
4612	explortu.exe
2832	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	3140abd237.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	0b93b41b11.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\3140abd237.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\3140abd237.exe"	explortu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3268-119-0x00000000007E0000-0x0000000000D46000-memory.dmp	autoit_exe
behavioral2/memory/3268-148-0x00000000007E0000-0x0000000000D46000-memory.dmp	autoit_exe
behavioral2/memory/3268-155-0x00000000007E0000-0x0000000000D46000-memory.dmp	autoit_exe
behavioral2/memory/3268-156-0x00000000007E0000-0x0000000000D46000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
484	8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4.exe
2080	explortu.exe
3484	3140abd237.exe
3268	0b93b41b11.exe
4612	explortu.exe
2832	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634341522592271"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3107365284-1576850094-161165143-1000\{1FE3D46A-6CEF-4204-8630-5E95AAB8A2CF}	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
484	8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4.exe
484	8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4.exe
2080	explortu.exe
2080	explortu.exe
3484	3140abd237.exe
3484	3140abd237.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
4476	chrome.exe
4476	chrome.exe
4612	explortu.exe
4612	explortu.exe
2832	explortu.exe
2832	explortu.exe
2336	chrome.exe
2336	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
4476	chrome.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe
3268	0b93b41b11.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 2080	484	8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4.exe	77
PID 484 wrote to memory of 2080	484	8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4.exe	77
PID 484 wrote to memory of 2080	484	8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4.exe	77
PID 2080 wrote to memory of 828	2080	explortu.exe	78
PID 2080 wrote to memory of 828	2080	explortu.exe	78
PID 2080 wrote to memory of 828	2080	explortu.exe	78
PID 2080 wrote to memory of 3484	2080	explortu.exe	79
PID 2080 wrote to memory of 3484	2080	explortu.exe	79
PID 2080 wrote to memory of 3484	2080	explortu.exe	79
PID 2080 wrote to memory of 3268	2080	explortu.exe	80
PID 2080 wrote to memory of 3268	2080	explortu.exe	80
PID 2080 wrote to memory of 3268	2080	explortu.exe	80
PID 3268 wrote to memory of 4476	3268	0b93b41b11.exe	81
PID 3268 wrote to memory of 4476	3268	0b93b41b11.exe	81
PID 4476 wrote to memory of 648	4476	chrome.exe	84
PID 4476 wrote to memory of 648	4476	chrome.exe	84
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 232	4476	chrome.exe	85
PID 4476 wrote to memory of 3648	4476	chrome.exe	86
PID 4476 wrote to memory of 3648	4476	chrome.exe	86
PID 4476 wrote to memory of 2224	4476	chrome.exe	87
PID 4476 wrote to memory of 2224	4476	chrome.exe	87
PID 4476 wrote to memory of 2224	4476	chrome.exe	87
PID 4476 wrote to memory of 2224	4476	chrome.exe	87
PID 4476 wrote to memory of 2224	4476	chrome.exe	87
PID 4476 wrote to memory of 2224	4476	chrome.exe	87
PID 4476 wrote to memory of 2224	4476	chrome.exe	87
PID 4476 wrote to memory of 2224	4476	chrome.exe	87
PID 4476 wrote to memory of 2224	4476	chrome.exe	87
PID 4476 wrote to memory of 2224	4476	chrome.exe	87
PID 4476 wrote to memory of 2224	4476	chrome.exe	87
PID 4476 wrote to memory of 2224	4476	chrome.exe	87
PID 4476 wrote to memory of 2224	4476	chrome.exe	87
PID 4476 wrote to memory of 2224	4476	chrome.exe	87
PID 4476 wrote to memory of 2224	4476	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4.exe
"C:\Users\Admin\AppData\Local\Temp\8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:484
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:828
- - C:\Users\Admin\AppData\Local\Temp\1000016001\3140abd237.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\3140abd237.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3484
- - C:\Users\Admin\AppData\Local\Temp\1000017001\0b93b41b11.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\0b93b41b11.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff972d9ab58,0x7ff972d9ab68,0x7ff972d9ab78
        5⤵
        
        PID:648
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1828,i,10966289315785507409,5234013701674342638,131072 /prefetch:2
        5⤵
        
        PID:232
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1828,i,10966289315785507409,5234013701674342638,131072 /prefetch:8
        5⤵
        
        PID:3648
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2148 --field-trial-handle=1828,i,10966289315785507409,5234013701674342638,131072 /prefetch:8
        5⤵
        
        PID:2224
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1828,i,10966289315785507409,5234013701674342638,131072 /prefetch:1
        5⤵
        
        PID:2380
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1828,i,10966289315785507409,5234013701674342638,131072 /prefetch:1
        5⤵
        
        PID:3780
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4192 --field-trial-handle=1828,i,10966289315785507409,5234013701674342638,131072 /prefetch:1
        5⤵
        
        PID:2912
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4220 --field-trial-handle=1828,i,10966289315785507409,5234013701674342638,131072 /prefetch:1
        5⤵
        
        PID:1696
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3336 --field-trial-handle=1828,i,10966289315785507409,5234013701674342638,131072 /prefetch:8
        5⤵
        
        PID:760
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1660 --field-trial-handle=1828,i,10966289315785507409,5234013701674342638,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:3420
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1828,i,10966289315785507409,5234013701674342638,131072 /prefetch:8
        5⤵
        
        PID:4912
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=1828,i,10966289315785507409,5234013701674342638,131072 /prefetch:8
        5⤵
        
        PID:1968
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1828,i,10966289315785507409,5234013701674342638,131072 /prefetch:8
        5⤵
        
        PID:2568
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2728 --field-trial-handle=1828,i,10966289315785507409,5234013701674342638,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2336

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4612

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
6d4e827d5f24c6a5907ba047994fde8f

SHA1
128a6d16cfb3fc70a7ab6b5ea31911c9ac67cde9

SHA256
d8ba94c2bdc477bbf31c7c144ebabf80d28a0ad43653722f403538561876ac35

SHA512
e1c9696a19557bbc16793e336cada41a8f90f8e920598f70aad60245fa8fefe1a60fabb60e44e05fd650acb727b72e0c3e91b1cec15f2dd69ca75b2a768e5120

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
12d2e028da54e0964bc61a1cb6e7bb5d

SHA1
42158824264a29054588c90ab97dc0abe71d96f1

SHA256
4d6827c8e66f3331a0bb1731134e7d9d7519eeafa5a451fd9f6c69be41e021d8

SHA512
17ae0e693daeea05fff9725fe2d054cff80b75533faa1f955db15aeefca9617e6d349971ac3569e89a024c557d2dd5eb952eaa0b2166eb28f976757f41af0e25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
78e02c48655b23ef60646c1669a61f16

SHA1
13c455e7e3a4c155f2939b10d7be722474caff9b

SHA256
0b830b6cdd54478ef2616e93d7c292badbcc7280d4724f6c7dfc9eac2bbd8320

SHA512
ac7899a7783c25126ce946eb3c17058803724456133def1b2f4ba6fea92a60ef0f52229c332947db830c608574609d02a5eae865aadf49cc309407310089a2ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
05bf0cf57ca64e8aaf5b651686670880

SHA1
bca4cbf93d9a92a107deaa0827c9910149970ea7

SHA256
920ebe770ff6ca66b38ca7c58db0d79945142bc9e13064feeb9e89988089dbce

SHA512
e9fb7716afc92b92f43c35e716de0abc80bcc6129fc1725ac73d90adecd8368263f131094531fb06dc194aacb65f8d1bacc12d15f1774391629fb041c4934dca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
eefafcbb8d0f135f0ae7d48f02e73226

SHA1
e970f301dae6496b1705e60b888fecee66850bdc

SHA256
89120d3fabe6bd1344b7540958a9ee303db50741ba044a0255cb6c29ec0f36c0

SHA512
2f5238a8da1a545ca9cb5e54941934b697ca0cc7751fc4f66bf6330161101af38c0a9c28c6881c9a1f7e04dc49819cf7b01940666238a3fe3eeae78096cf1386

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
ec56e68bd7a32a04030b0a9505881a95

SHA1
92d47a03d44bf6be7eb24e6a95e8dd867e67be43

SHA256
fdc57039bdd942c02607a867837d2c1222c7e2090b74f7f77ddd95b428f717c0

SHA512
64baf0de55d985879f27fff9d7e220000a573975d4f4e32626cfd0b2468e100938591c0b86cf467a4cf05353e06ece12b93853c5b674b7083120be5ea5d7971f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7b3c77ead22f07689d106e06c5273a40

SHA1
1f0320d30f2cde31d3524abe94219f069e870f23

SHA256
4cd5d4f0a5bc6f3f623a6d6265202206c3e85a2a9919a358c401931e2c18ec2f

SHA512
26a81e8373da2b6000e09d424b3ccfc09a85e87f826c36303f9a0eafcebebf0d8e05fbad579a59134ce4467f017d2da597467012c1c8079383db9a5acbdc42aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
3193d29eace4adf4ae7463f6c0612af9

SHA1
ecaef6f5268ae6d7b68d7d4df8722be50bb443e4

SHA256
9bd692911eed5ac0a40cc6e53f51e98f61cc23b89b3b70fa610d954e64280df2

SHA512
693225acdc6920fdefedc12dd09f166dfa071ad53fd017bcf83cd142b052d69e7c5f8e35737bca92628f4b65e0a86497041a87078e36593c13865d7e7acf9e3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
270KB

MD5
cab313f00ef2648aeebc65956a486b45

SHA1
359dde4c449fdfa316cb8dec6ce20453ee1c06cd

SHA256
95c4f4a5edbd57bd13283f664f01c1e09141d3981a91fd07a2f0fda7dcc2f7ee

SHA512
602fa36082d51f05b9fe4c2a0b0d184957202413afb64fe7cfd125712da9d5d7f3fef2cb4b58a7d676fa7e53d86f5dbbd864546fe1c711ef3392c136a38f306f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\3140abd237.exe

Filesize
2.3MB

MD5
bbe1a7c9ee2a5377e27c285deb1568e5

SHA1
90e8a94cd2cb3244ea6e5722e48f1c40eff42f5f

SHA256
09cccd1cc59b6ef6106122d1840587853abea927753b6281302cf2a15a843d47

SHA512
83f5d9ce0b6153e9a907e19155c3589e9b7fd2c3aced91acc8eb9d917fcd3fdaff62e842d33982170b494430a95ab4935bd5906f22a85e1c71fa95b348f8dd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\0b93b41b11.exe

Filesize
2.3MB

MD5
39a50bda2d42a9cd5717f6772f0fbd3d

SHA1
c6408740683398acfec651efc1b3871b2b85fb38

SHA256
49d3ccd4ba6f6246d99d793ea23737d3b7030c1d4308e290c274154bc5b5be11

SHA512
1bd2fb2d3e4fe646ae0c3cc631c745367bb707418e34eff73f97c238843fbc76b51865d16593e0ae03061d760d31c01d1b38282c42abe54ded3924ef2bf6aa37

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
562d0283cd0e5f9e3e4fd6fb15583a12

SHA1
1743aea9f5ac8504c3846270e3d7121813a37fd6

SHA256
8082ed771b3c9f404112207d2d4ce19665eba92b1af2b531c39ca686a40348c4

SHA512
d229e570c3d557e94cd406dd90342ab32f3ecd60aac2074ac9d252035aa46b9fa6baf35fc04ef14535027508df6bff830c1007f924ba0bd7f099c00389fa2a1e

Download Submit
memory/484-0-0x0000000000FD0000-0x0000000001486000-memory.dmp

Filesize
4.7MB

Download
memory/484-17-0x0000000000FD0000-0x0000000001486000-memory.dmp

Filesize
4.7MB

Download
memory/484-5-0x0000000000FD0000-0x0000000001486000-memory.dmp

Filesize
4.7MB

Download
memory/484-3-0x0000000000FD0000-0x0000000001486000-memory.dmp

Filesize
4.7MB

Download
memory/484-2-0x0000000000FD1000-0x0000000000FFF000-memory.dmp

Filesize
184KB

Download
memory/484-1-0x0000000077676000-0x0000000077678000-memory.dmp

Filesize
8KB

Download
memory/2080-194-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-19-0x0000000000AC1000-0x0000000000AEF000-memory.dmp

Filesize
184KB

Download
memory/2080-116-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-241-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-106-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-135-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-136-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-21-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-18-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-147-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-20-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-175-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-205-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-178-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-207-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-221-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-158-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-214-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-212-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2080-173-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2832-210-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/2832-209-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/3268-61-0x00000000007E0000-0x0000000000D46000-memory.dmp

Filesize
5.4MB

Download
memory/3268-156-0x00000000007E0000-0x0000000000D46000-memory.dmp

Filesize
5.4MB

Download
memory/3268-155-0x00000000007E0000-0x0000000000D46000-memory.dmp

Filesize
5.4MB

Download
memory/3268-119-0x00000000007E0000-0x0000000000D46000-memory.dmp

Filesize
5.4MB

Download
memory/3268-148-0x00000000007E0000-0x0000000000D46000-memory.dmp

Filesize
5.4MB

Download
memory/3484-43-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-157-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-204-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-179-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-206-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-176-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-174-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-163-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-211-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-242-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-213-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-115-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-215-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-42-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-222-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-149-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/3484-146-0x0000000000740000-0x0000000000D44000-memory.dmp

Filesize
6.0MB

Download
memory/4612-160-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download
memory/4612-162-0x0000000000AC0000-0x0000000000F76000-memory.dmp

Filesize
4.7MB

Download