amadey | 3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c

Analysis

max time kernel
149s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
22-06-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c.exe
Size

1.9MB
MD5

f053eec442f7a3ddc7fe0a977bde9f55
SHA1

8444c3f63e55e346a3baa4b4f3f4f275ceaba69a
SHA256

3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c
SHA512

83c0f80b42e68f2a86c168952b4e7d7104f6731c594395658042f013b7f1e69df6eb1d1f01cee8a2f47b3ef6889269fb6899076a8734b8703252b54d1f3ed1f4
SSDEEP

49152:KX0JXyqcJZ/k+sBGTfzN0Z92aTucTFfam:PRaZ/k+sB8fsTF

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0969a888ee.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	479d084227.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	479d084227.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	479d084227.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0969a888ee.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0969a888ee.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Executes dropped EXE 5 IoCs

pid	Process
4652	explortu.exe
2444	0969a888ee.exe
4144	479d084227.exe
4748	explortu.exe
1100	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	0969a888ee.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	479d084227.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\0969a888ee.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\0969a888ee.exe"	explortu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4144-116-0x0000000000620000-0x0000000000B6B000-memory.dmp	autoit_exe
behavioral2/memory/4144-150-0x0000000000620000-0x0000000000B6B000-memory.dmp	autoit_exe
behavioral2/memory/4144-157-0x0000000000620000-0x0000000000B6B000-memory.dmp	autoit_exe
behavioral2/memory/4144-158-0x0000000000620000-0x0000000000B6B000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
3620	3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c.exe
4652	explortu.exe
2444	0969a888ee.exe
4144	479d084227.exe
4748	explortu.exe
1100	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634985773001113"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3620	3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c.exe
3620	3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c.exe
4652	explortu.exe
4652	explortu.exe
2444	0969a888ee.exe
2444	0969a888ee.exe
4144	479d084227.exe
4144	479d084227.exe
2656	chrome.exe
2656	chrome.exe
4748	explortu.exe
4748	explortu.exe
1100	explortu.exe
1100	explortu.exe
1244	chrome.exe
1244	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
4144	479d084227.exe
4144	479d084227.exe
2656	chrome.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe
4144	479d084227.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 4652	3620	3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c.exe	78
PID 3620 wrote to memory of 4652	3620	3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c.exe	78
PID 3620 wrote to memory of 4652	3620	3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c.exe	78
PID 4652 wrote to memory of 1312	4652	explortu.exe	79
PID 4652 wrote to memory of 1312	4652	explortu.exe	79
PID 4652 wrote to memory of 1312	4652	explortu.exe	79
PID 4652 wrote to memory of 2444	4652	explortu.exe	80
PID 4652 wrote to memory of 2444	4652	explortu.exe	80
PID 4652 wrote to memory of 2444	4652	explortu.exe	80
PID 4652 wrote to memory of 4144	4652	explortu.exe	81
PID 4652 wrote to memory of 4144	4652	explortu.exe	81
PID 4652 wrote to memory of 4144	4652	explortu.exe	81
PID 4144 wrote to memory of 2656	4144	479d084227.exe	82
PID 4144 wrote to memory of 2656	4144	479d084227.exe	82
PID 2656 wrote to memory of 1660	2656	chrome.exe	85
PID 2656 wrote to memory of 1660	2656	chrome.exe	85
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 2652	2656	chrome.exe	86
PID 2656 wrote to memory of 1692	2656	chrome.exe	87
PID 2656 wrote to memory of 1692	2656	chrome.exe	87
PID 2656 wrote to memory of 4276	2656	chrome.exe	88
PID 2656 wrote to memory of 4276	2656	chrome.exe	88
PID 2656 wrote to memory of 4276	2656	chrome.exe	88
PID 2656 wrote to memory of 4276	2656	chrome.exe	88
PID 2656 wrote to memory of 4276	2656	chrome.exe	88
PID 2656 wrote to memory of 4276	2656	chrome.exe	88
PID 2656 wrote to memory of 4276	2656	chrome.exe	88
PID 2656 wrote to memory of 4276	2656	chrome.exe	88
PID 2656 wrote to memory of 4276	2656	chrome.exe	88
PID 2656 wrote to memory of 4276	2656	chrome.exe	88
PID 2656 wrote to memory of 4276	2656	chrome.exe	88
PID 2656 wrote to memory of 4276	2656	chrome.exe	88
PID 2656 wrote to memory of 4276	2656	chrome.exe	88
PID 2656 wrote to memory of 4276	2656	chrome.exe	88
PID 2656 wrote to memory of 4276	2656	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c.exe
"C:\Users\Admin\AppData\Local\Temp\3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:1312
- - C:\Users\Admin\AppData\Local\Temp\1000016001\0969a888ee.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\0969a888ee.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2444
- - C:\Users\Admin\AppData\Local\Temp\1000017001\479d084227.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\479d084227.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb8cebab58,0x7ffb8cebab68,0x7ffb8cebab78
        5⤵
        
        PID:1660
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1812,i,16058376225280587186,3402748199510514455,131072 /prefetch:2
        5⤵
        
        PID:2652
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1812,i,16058376225280587186,3402748199510514455,131072 /prefetch:8
        5⤵
        
        PID:1692
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2176 --field-trial-handle=1812,i,16058376225280587186,3402748199510514455,131072 /prefetch:8
        5⤵
        
        PID:4276
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1812,i,16058376225280587186,3402748199510514455,131072 /prefetch:1
        5⤵
        
        PID:4780
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3312 --field-trial-handle=1812,i,16058376225280587186,3402748199510514455,131072 /prefetch:1
        5⤵
        
        PID:476
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3888 --field-trial-handle=1812,i,16058376225280587186,3402748199510514455,131072 /prefetch:1
        5⤵
        
        PID:4728
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4480 --field-trial-handle=1812,i,16058376225280587186,3402748199510514455,131072 /prefetch:8
        5⤵
        
        PID:2332
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 --field-trial-handle=1812,i,16058376225280587186,3402748199510514455,131072 /prefetch:8
        5⤵
        
        PID:3792
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4144 --field-trial-handle=1812,i,16058376225280587186,3402748199510514455,131072 /prefetch:8
        5⤵
        
        PID:4608
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1812,i,16058376225280587186,3402748199510514455,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1244

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4748

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
34de17b5e81f465aa1c88458710c90b2

SHA1
e621e550c0e770467336309a3313e39bd60ea044

SHA256
b3c0023b2b634a6a1f0f5d70668b326e51e4d40ca34d1ab683a864ae865db7c7

SHA512
455ac65fbf63d435e0667f3f680501defd90e998bf5d2fd65eaad7d7698661695022921077e88f815d2b5da81d76d5b5b41822344392c4c8ca897acf6f7c427f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6e5869f159c19dbdd296ed54d22e65c6

SHA1
8c01ab6af1ac8fe946a7e5c3ffd4650240632d15

SHA256
b4d9c3e4fa8ec4b49b4486ef321eab3570b51dee98a12719cbe5dc4c370ded1a

SHA512
f3843a4fd67687859e77596609466d55e2be3e012cdaf7e14409cf7f5132384878aa03cca351ebdda866524339477132a16ccffd3dbe056983835154922f9c82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
dc876ee2f4d2ae6c43c4b9427ef10c0d

SHA1
f73f895c82804adb4bbdce12a7adc273c1810a13

SHA256
85c253582b9ed4d720a735eb08ef65c838e23645b65a261e7936bc5c645b0d11

SHA512
707bd95b0c7a25a7b5e4e847919f08a3202fcc42e85acbca748a7d7b22eaa2c8c4a13f6036d56f2d8dead89b97db8c2d3c3ec1103d5bd272cab729ff14620c2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8d04505903c7d85aa3a1fef248afbc7d

SHA1
cac91109d54413d01e5c70027ecfcb454477ccbb

SHA256
bfe2b564636ad766edcbe3dc33647e449f39b66e553c45cf4e6bb54bdb9af8cd

SHA512
3bd6d18dda0ae64ae2ad50ae39bf34f9d218f8cfef4c43bc630ae81a4b805b96e86356e12923635cce4884e2a32d922405e8c00c50309ef524c11c0a8b7514bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
1b3f5a8bac7c41000d7c7242da445d05

SHA1
4c135b68549f81fb80ad24151f28e05711026b81

SHA256
a03940a43033a5e17fb79c0cc214770f2cacdb39fc54a11faf4eb98acbe1b7c3

SHA512
ff6700ffbf9df9c4f94d1352bda907573fe3f3b93a38d95837b5af55f24de6d3570b6a8a5a09ce56a6d81f06bcc49ed35400f6a3e42b6eeedc35f9f6b950cc68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
129a0bb986e4de32685b3505e7a6daae

SHA1
6dca6af2c033496e9f3692f61ec0f8066eb2cc2a

SHA256
b514df29aac3339c4cfda9c193e9ec2ecf1134e7de5ecb77e550629d0c17b633

SHA512
1b50a1454709cd31fe8357b2fe2c6df4739d1295cc0832ca274e019342f848465233652c73f7d7c0c30415dbcc85f6f2c6d1ef758dcbb4e12ad13e2037b23f72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
0742e36ff01f9f2fba18be69c000720d

SHA1
79dfa4da716af06f26beb908b7ff12e6d66f93d3

SHA256
3cd9899646e5da6325813727a04028c09fd879d06e2c35beb781dd27082ff295

SHA512
bf242c6a6547e6b3b9602b052a63b9f5913caef59cc681fc03be692dc479d531abc8a237b7a1204a37c217e4c89bcf14b108ad15f462a8551a4aa6b11453df99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
91deb2109ef4b91b07ff04ed46837621

SHA1
c2bcbedbebffaffbaf06f5b93a7f2021a24c2dcd

SHA256
5403dff1faa462f43886f931b58746f215df0268bfcd2a4de3fda258940b5be4

SHA512
d8410f07b32d91da70be607764aa49c1a9240b5b61516e1930b2160e712dece75162f2abef12b1091050f9a47d26a35de670d7168a889da2537d5588fcda9ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\0969a888ee.exe

Filesize
2.4MB

MD5
ca9e63f785887ae3efee5eb6f9b5f45a

SHA1
5b02c8ff5b32c21f95d4c65244167f5b7347d3b4

SHA256
8256b66a44eeb89d26659c79433cad34290dd66e972fadc9de9e0e4a914a0f54

SHA512
883804f07dd4d83d796bca453994706083c9bbed1d9a19320940a3d22ea5c0d1f8f35957f3d8ef9abf8b0cea874b8751e05bbc05123b04f3ed3f1a2e24199e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\479d084227.exe

Filesize
2.3MB

MD5
e4353466eec965539de0c5c913595e7b

SHA1
65c89f00e5c2548f8b005e1748a36a84f0ba3f13

SHA256
ee032c3a5a0bf50233bbbcb76fe0fc91fe6bea935cfa33f58031290a29d8cc90

SHA512
26d057d8252ec1c49fad3b883d41c4002e4633e024d9eba3c65291c5450f7a22b1f41fcbf34662b1b3d12ce7a89a26590269133a02909ce42859da88db9150d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.9MB

MD5
f053eec442f7a3ddc7fe0a977bde9f55

SHA1
8444c3f63e55e346a3baa4b4f3f4f275ceaba69a

SHA256
3ad5bcd8ca1283d0a48ce2c988fcc885f0f26749552ee32720536bb463df077c

SHA512
83c0f80b42e68f2a86c168952b4e7d7104f6731c594395658042f013b7f1e69df6eb1d1f01cee8a2f47b3ef6889269fb6899076a8734b8703252b54d1f3ed1f4

Download Submit
memory/1100-208-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/1100-209-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/2444-200-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-204-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-43-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-229-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-180-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-115-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-173-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-42-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-218-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-211-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-161-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-207-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-202-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-159-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-148-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-149-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/2444-177-0x00000000003E0000-0x00000000009F6000-memory.dmp

Filesize
6.1MB

Download
memory/3620-17-0x0000000000070000-0x0000000000545000-memory.dmp

Filesize
4.8MB

Download
memory/3620-3-0x0000000000070000-0x0000000000545000-memory.dmp

Filesize
4.8MB

Download
memory/3620-2-0x0000000000071000-0x000000000009F000-memory.dmp

Filesize
184KB

Download
memory/3620-0-0x0000000000070000-0x0000000000545000-memory.dmp

Filesize
4.8MB

Download
memory/3620-5-0x0000000000070000-0x0000000000545000-memory.dmp

Filesize
4.8MB

Download
memory/3620-1-0x0000000077DB6000-0x0000000077DB8000-memory.dmp

Filesize
8KB

Download
memory/4144-157-0x0000000000620000-0x0000000000B6B000-memory.dmp

Filesize
5.3MB

Download
memory/4144-150-0x0000000000620000-0x0000000000B6B000-memory.dmp

Filesize
5.3MB

Download
memory/4144-158-0x0000000000620000-0x0000000000B6B000-memory.dmp

Filesize
5.3MB

Download
memory/4144-61-0x0000000000620000-0x0000000000B6B000-memory.dmp

Filesize
5.3MB

Download
memory/4144-116-0x0000000000620000-0x0000000000B6B000-memory.dmp

Filesize
5.3MB

Download
memory/4652-18-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-205-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-179-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-108-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-228-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-199-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-171-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-201-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-160-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-203-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-156-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-176-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-138-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-137-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-19-0x00000000005D1000-0x00000000005FF000-memory.dmp

Filesize
184KB

Download
memory/4652-210-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-20-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-217-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-21-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4652-114-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4748-174-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download
memory/4748-175-0x00000000005D0000-0x0000000000AA5000-memory.dmp

Filesize
4.8MB

Download