amadey | 442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
21-06-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe
Size

1.8MB
MD5

f4e6fbc2e750b30ce2d722824fef95ed
SHA1

45be637815aa265173fb9083dc735f95c341a303
SHA256

442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e
SHA512

e56975582c904a42db10086f36a3ff897ac04a418bca1f2f7129c49502f95f1262131ae0167a56bd066915313b9f0594c36d9012e80e06f8476e92203543530f
SSDEEP

24576:mFUBtmghMAZ783yVaFX6B2veZzyzvSVpOfymwfQaAo6U7ptDJj+j7+ZdbMaAb5zv:/cghMMdaIJbVp0ymv67ptD9AqZFmqa1

Score

10^/10

amadey 0e6740 evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b4be17ff7d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	16040f7a20.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	16040f7a20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	16040f7a20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b4be17ff7d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b4be17ff7d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Executes dropped EXE 6 IoCs

pid	Process
4580	explortu.exe
2028	explortu.exe
4352	16040f7a20.exe
2172	b4be17ff7d.exe
424	explortu.exe
4932	explortu.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	16040f7a20.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	b4be17ff7d.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\16040f7a20.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\16040f7a20.exe"	explortu.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2172-120-0x0000000000110000-0x0000000000667000-memory.dmp	autoit_exe
behavioral2/memory/2172-148-0x0000000000110000-0x0000000000667000-memory.dmp	autoit_exe
behavioral2/memory/2172-154-0x0000000000110000-0x0000000000667000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
1664	442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe
4580	explortu.exe
2028	explortu.exe
4352	16040f7a20.exe
2172	b4be17ff7d.exe
424	explortu.exe
4932	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634622724519417"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1664	442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe
1664	442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe
4580	explortu.exe
4580	explortu.exe
2028	explortu.exe
2028	explortu.exe
4352	16040f7a20.exe
4352	16040f7a20.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
3932	chrome.exe
3932	chrome.exe
424	explortu.exe
424	explortu.exe
4932	explortu.exe
4932	explortu.exe
4732	chrome.exe
4732	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
2172	b4be17ff7d.exe
3932	chrome.exe
2172	b4be17ff7d.exe
3932	chrome.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe
2172	b4be17ff7d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 4580	1664	442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe	77
PID 1664 wrote to memory of 4580	1664	442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe	77
PID 1664 wrote to memory of 4580	1664	442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe	77
PID 4580 wrote to memory of 2628	4580	explortu.exe	79
PID 4580 wrote to memory of 2628	4580	explortu.exe	79
PID 4580 wrote to memory of 2628	4580	explortu.exe	79
PID 4580 wrote to memory of 4352	4580	explortu.exe	80
PID 4580 wrote to memory of 4352	4580	explortu.exe	80
PID 4580 wrote to memory of 4352	4580	explortu.exe	80
PID 4580 wrote to memory of 2172	4580	explortu.exe	81
PID 4580 wrote to memory of 2172	4580	explortu.exe	81
PID 4580 wrote to memory of 2172	4580	explortu.exe	81
PID 2172 wrote to memory of 3932	2172	b4be17ff7d.exe	82
PID 2172 wrote to memory of 3932	2172	b4be17ff7d.exe	82
PID 3932 wrote to memory of 3444	3932	chrome.exe	85
PID 3932 wrote to memory of 3444	3932	chrome.exe	85
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 4044	3932	chrome.exe	86
PID 3932 wrote to memory of 3272	3932	chrome.exe	87
PID 3932 wrote to memory of 3272	3932	chrome.exe	87
PID 3932 wrote to memory of 2456	3932	chrome.exe	88
PID 3932 wrote to memory of 2456	3932	chrome.exe	88
PID 3932 wrote to memory of 2456	3932	chrome.exe	88
PID 3932 wrote to memory of 2456	3932	chrome.exe	88
PID 3932 wrote to memory of 2456	3932	chrome.exe	88
PID 3932 wrote to memory of 2456	3932	chrome.exe	88
PID 3932 wrote to memory of 2456	3932	chrome.exe	88
PID 3932 wrote to memory of 2456	3932	chrome.exe	88
PID 3932 wrote to memory of 2456	3932	chrome.exe	88
PID 3932 wrote to memory of 2456	3932	chrome.exe	88
PID 3932 wrote to memory of 2456	3932	chrome.exe	88
PID 3932 wrote to memory of 2456	3932	chrome.exe	88
PID 3932 wrote to memory of 2456	3932	chrome.exe	88
PID 3932 wrote to memory of 2456	3932	chrome.exe	88
PID 3932 wrote to memory of 2456	3932	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe
"C:\Users\Admin\AppData\Local\Temp\442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:2628
- - C:\Users\Admin\AppData\Local\Temp\1000016001\16040f7a20.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\16040f7a20.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4352
- - C:\Users\Admin\AppData\Local\Temp\1000017001\b4be17ff7d.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\b4be17ff7d.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa47e6ab58,0x7ffa47e6ab68,0x7ffa47e6ab78
        5⤵
        
        PID:3444
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1812,i,1654996418600666117,15494509882820929948,131072 /prefetch:2
        5⤵
        
        PID:4044
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1812,i,1654996418600666117,15494509882820929948,131072 /prefetch:8
        5⤵
        
        PID:3272
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1704 --field-trial-handle=1812,i,1654996418600666117,15494509882820929948,131072 /prefetch:8
        5⤵
        
        PID:2456
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1812,i,1654996418600666117,15494509882820929948,131072 /prefetch:1
        5⤵
        
        PID:4836
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1812,i,1654996418600666117,15494509882820929948,131072 /prefetch:1
        5⤵
        
        PID:1404
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4264 --field-trial-handle=1812,i,1654996418600666117,15494509882820929948,131072 /prefetch:1
        5⤵
        
        PID:8
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3364 --field-trial-handle=1812,i,1654996418600666117,15494509882820929948,131072 /prefetch:8
        5⤵
        
        PID:2176
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1812,i,1654996418600666117,15494509882820929948,131072 /prefetch:8
        5⤵
        
        PID:4812
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1812,i,1654996418600666117,15494509882820929948,131072 /prefetch:8
        5⤵
        
        PID:4056
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4180 --field-trial-handle=1812,i,1654996418600666117,15494509882820929948,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4732

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:424

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
7f4706aa72676729e082bd2bd58dcd17

SHA1
5b9963846e5768c9f626ba490303cde3af1935d5

SHA256
dced2c233b60ed446cd976744ca5475ee0e0733a9baba047116f5d7760dbdba4

SHA512
fdf6a846c838147076ad309eb2669f7699ca5fdbfe28f1884096a112fb3101a8970cd7aee9670c2dc220934654f679e738a9acbf7694237de496f3568e709a5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9ba61b47c4d3a5af784eb40bc2ebde5f

SHA1
748ed7b95a52d31208ec1447da42193d0a48d693

SHA256
739513aee5f2756a4e375d1b9faadae686bb758938e6bc853f16d4558c246d02

SHA512
7bb7bb5a6881be1c134ae0eca5e9aedd4f4bfeb8ecd70202419992892be33131b840116706067827ffa58f91fea9384f80f3891c84e75a2e7c8449c644c7e373

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
fb8cd62314d08d0257a6265fc6757d9d

SHA1
89305c0fcd1c1ac45f89821563061b8ef2f17545

SHA256
166b32c42a888c2c99719c0960808ed21fcb7c277ef9383a0c33985896a3573c

SHA512
c8d622e275cbea37c2597f926c5c8f5f3c814f651cc7a3fecdf815bf3fc55fe227864d0ccbe34488a44ee4619db8895563078aac9ed068440d080349137a0ffc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
12f484b9eac23336db393ce240b6e718

SHA1
17ca88c7617f49c05c022668d93696f09e3a89a8

SHA256
793be559fd7321d87498baeff433933e065da3ad3b01d8028d86c67da00e0b32

SHA512
317bd7233ed72263fd80a574afb44fa262ce736df71f896a26e5a07116f268e00632dd44739a4729fbd830f5a0bf905408e2d9d4f21cded3779186917fc5d79b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b78a79debdd800e76e5a8bfbf9d9ef2a

SHA1
92f4a0042942b1f599f462c1ad53d14d160b5d29

SHA256
b4c9bc5542ece277abf87d9c59f9dd5af55487839821c611f653b8cd5d37dc57

SHA512
16b4fbf677e9ded239c89174cc16ae829123ab5bd64ff14a3d754b07c787a9f2ad8228b8fb1dd286d8b93d4121d5a201057de2728d58f97b9274f47b1aa80904

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
29b6b1491a3c84ac48a934f280d5d4dc

SHA1
c88c06e430d9e59a866481dd03850cd4b68f6f1b

SHA256
26f5c8af069a75e40145e13672e83e254fcb88a9a1fd751b7c9c05b0446a22f3

SHA512
049f3667d7c41bbe40c9f9e3512eee378a640a7e0a1f752331f771cd2308ef45689bca0d1f631197b2b333d67b75c400c464cb6178abad098feaf9f4bb53d098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
c6de1ee9b4b4eb256eef09de375bc7f7

SHA1
e71ee5f9078870f81d432f74bf2f5556541f4303

SHA256
84159bf06a41b4f547d132177e65a41cec178d0160b79a2eb3a8955b7fe41db3

SHA512
e7c39ccb2bad60c02a0498a01350cff942fdedf8c812df1b501efa5f901c26c275da4f2cb170fe87e57781c36f8115ab732862bbe1b6e1cf1b7271ee5285ba96

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\16040f7a20.exe

Filesize
2.3MB

MD5
d9f41a788841bc57db1e3c375bdb906d

SHA1
a53f4e3f93d799835bd22d47b3214a536d982c3f

SHA256
78636a12d3a9ad85208987feb964844591099e53abf3da39fe4cbf4cc6692b99

SHA512
bfcdda147b7bf71836dfa151b3b03dad4e170a8f079eed21af6ae215cfba2f9c2f10a8177e288c2ba0805634ca5646bbe01c20033aa1c9f159b56794aea4ffdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\b4be17ff7d.exe

Filesize
2.3MB

MD5
fbcba4b35f383ebe81632e3ed35a6850

SHA1
c46d61e2a6dbe1fab73c52c8471ccdd021fcab44

SHA256
eb62faafd69090cb30ca0defd13be853289d90256ad2b37f2d3533fb98cb7c75

SHA512
9cc6c6f6b0731e19e9eedf19f0e59bc726cd5c3a694a6ba7e09d8edeb385b8cb9ccca4fbf7f01abbc01b22fa70fbf65f5bb30770a13f34c709807bc88019faa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
f4e6fbc2e750b30ce2d722824fef95ed

SHA1
45be637815aa265173fb9083dc735f95c341a303

SHA256
442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e

SHA512
e56975582c904a42db10086f36a3ff897ac04a418bca1f2f7129c49502f95f1262131ae0167a56bd066915313b9f0594c36d9012e80e06f8476e92203543530f

Download Submit
memory/424-171-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/424-172-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/1664-17-0x0000000000130000-0x00000000005FE000-memory.dmp

Filesize
4.8MB

Download
memory/1664-0-0x0000000000130000-0x00000000005FE000-memory.dmp

Filesize
4.8MB

Download
memory/1664-5-0x0000000000130000-0x00000000005FE000-memory.dmp

Filesize
4.8MB

Download
memory/1664-3-0x0000000000130000-0x00000000005FE000-memory.dmp

Filesize
4.8MB

Download
memory/1664-2-0x0000000000131000-0x000000000015F000-memory.dmp

Filesize
184KB

Download
memory/1664-1-0x0000000077736000-0x0000000077738000-memory.dmp

Filesize
8KB

Download
memory/2028-23-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/2028-25-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/2028-22-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/2172-148-0x0000000000110000-0x0000000000667000-memory.dmp

Filesize
5.3MB

Download
memory/2172-64-0x0000000000110000-0x0000000000667000-memory.dmp

Filesize
5.3MB

Download
memory/2172-120-0x0000000000110000-0x0000000000667000-memory.dmp

Filesize
5.3MB

Download
memory/2172-154-0x0000000000110000-0x0000000000667000-memory.dmp

Filesize
5.3MB

Download
memory/4352-198-0x0000000000F60000-0x000000000155B000-memory.dmp

Filesize
6.0MB

Download
memory/4352-173-0x0000000000F60000-0x000000000155B000-memory.dmp

Filesize
6.0MB

Download
memory/4352-222-0x0000000000F60000-0x000000000155B000-memory.dmp

Filesize
6.0MB

Download
memory/4352-176-0x0000000000F60000-0x000000000155B000-memory.dmp

Filesize
6.0MB

Download
memory/4352-211-0x0000000000F60000-0x000000000155B000-memory.dmp

Filesize
6.0MB

Download
memory/4352-203-0x0000000000F60000-0x000000000155B000-memory.dmp

Filesize
6.0MB

Download
memory/4352-46-0x0000000000F60000-0x000000000155B000-memory.dmp

Filesize
6.0MB

Download
memory/4352-118-0x0000000000F60000-0x000000000155B000-memory.dmp

Filesize
6.0MB

Download
memory/4352-155-0x0000000000F60000-0x000000000155B000-memory.dmp

Filesize
6.0MB

Download
memory/4352-196-0x0000000000F60000-0x000000000155B000-memory.dmp

Filesize
6.0MB

Download
memory/4352-157-0x0000000000F60000-0x000000000155B000-memory.dmp

Filesize
6.0MB

Download
memory/4352-194-0x0000000000F60000-0x000000000155B000-memory.dmp

Filesize
6.0MB

Download
memory/4352-168-0x0000000000F60000-0x000000000155B000-memory.dmp

Filesize
6.0MB

Download
memory/4352-192-0x0000000000F60000-0x000000000155B000-memory.dmp

Filesize
6.0MB

Download
memory/4352-146-0x0000000000F60000-0x000000000155B000-memory.dmp

Filesize
6.0MB

Download
memory/4580-221-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-197-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-175-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-24-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-138-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-169-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-191-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-193-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-167-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-195-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-156-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-20-0x0000000000291000-0x00000000002BF000-memory.dmp

Filesize
184KB

Download
memory/4580-119-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-199-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-111-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-21-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-112-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-210-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-147-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4580-18-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4932-202-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download
memory/4932-201-0x0000000000290000-0x000000000075E000-memory.dmp

Filesize
4.8MB

Download