amadey | 495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
22/06/2024, 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67.exe
Size

1.8MB
MD5

6c580737fcc23a9ed675109cfca13b36
SHA1

b95e037a212f638938536121a39edfdcd77e8873
SHA256

495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67
SHA512

9b5665671b9589df20a16a6f472d4500ffc1f4282911f1829ae3380da195951dd9c60cfd18127ae1cced5dac00472e2017aef13bc55035e96f51de13c72fb7c2
SSDEEP

49152:INuU9sUb2XBtUHGfscA79k2K68IL8GyJn/zk2sEz4Mfm:KuOb2R4GkcA79rK68dlnhdfm

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5e1a82ad78.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d10f27310b.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5e1a82ad78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d10f27310b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d10f27310b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5e1a82ad78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Executes dropped EXE 5 IoCs

pid	Process
1216	explortu.exe
3080	d10f27310b.exe
3612	5e1a82ad78.exe
1384	explortu.exe
2768	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	d10f27310b.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	5e1a82ad78.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\d10f27310b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\d10f27310b.exe"	explortu.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3612-114-0x00000000007B0000-0x0000000000D11000-memory.dmp	autoit_exe
behavioral2/memory/3612-144-0x00000000007B0000-0x0000000000D11000-memory.dmp	autoit_exe
behavioral2/memory/3612-151-0x00000000007B0000-0x0000000000D11000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1892	495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67.exe
1216	explortu.exe
3080	d10f27310b.exe
3612	5e1a82ad78.exe
1384	explortu.exe
2768	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133635198940530516"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1892	495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67.exe
1892	495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67.exe
1216	explortu.exe
1216	explortu.exe
3080	d10f27310b.exe
3080	d10f27310b.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
4252	chrome.exe
4252	chrome.exe
1384	explortu.exe
1384	explortu.exe
2768	explortu.exe
2768	explortu.exe
2464	chrome.exe
2464	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
4252	chrome.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe
3612	5e1a82ad78.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 1216	1892	495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67.exe	78
PID 1892 wrote to memory of 1216	1892	495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67.exe	78
PID 1892 wrote to memory of 1216	1892	495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67.exe	78
PID 1216 wrote to memory of 1172	1216	explortu.exe	79
PID 1216 wrote to memory of 1172	1216	explortu.exe	79
PID 1216 wrote to memory of 1172	1216	explortu.exe	79
PID 1216 wrote to memory of 3080	1216	explortu.exe	80
PID 1216 wrote to memory of 3080	1216	explortu.exe	80
PID 1216 wrote to memory of 3080	1216	explortu.exe	80
PID 1216 wrote to memory of 3612	1216	explortu.exe	81
PID 1216 wrote to memory of 3612	1216	explortu.exe	81
PID 1216 wrote to memory of 3612	1216	explortu.exe	81
PID 3612 wrote to memory of 4252	3612	5e1a82ad78.exe	82
PID 3612 wrote to memory of 4252	3612	5e1a82ad78.exe	82
PID 4252 wrote to memory of 3164	4252	chrome.exe	85
PID 4252 wrote to memory of 3164	4252	chrome.exe	85
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 4424	4252	chrome.exe	86
PID 4252 wrote to memory of 3492	4252	chrome.exe	87
PID 4252 wrote to memory of 3492	4252	chrome.exe	87
PID 4252 wrote to memory of 4608	4252	chrome.exe	88
PID 4252 wrote to memory of 4608	4252	chrome.exe	88
PID 4252 wrote to memory of 4608	4252	chrome.exe	88
PID 4252 wrote to memory of 4608	4252	chrome.exe	88
PID 4252 wrote to memory of 4608	4252	chrome.exe	88
PID 4252 wrote to memory of 4608	4252	chrome.exe	88
PID 4252 wrote to memory of 4608	4252	chrome.exe	88
PID 4252 wrote to memory of 4608	4252	chrome.exe	88
PID 4252 wrote to memory of 4608	4252	chrome.exe	88
PID 4252 wrote to memory of 4608	4252	chrome.exe	88
PID 4252 wrote to memory of 4608	4252	chrome.exe	88
PID 4252 wrote to memory of 4608	4252	chrome.exe	88
PID 4252 wrote to memory of 4608	4252	chrome.exe	88
PID 4252 wrote to memory of 4608	4252	chrome.exe	88
PID 4252 wrote to memory of 4608	4252	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67.exe
"C:\Users\Admin\AppData\Local\Temp\495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:1172
- - C:\Users\Admin\AppData\Local\Temp\1000016001\d10f27310b.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\d10f27310b.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3080
- - C:\Users\Admin\AppData\Local\Temp\1000017001\5e1a82ad78.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\5e1a82ad78.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4252
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb57dab58,0x7ffcb57dab68,0x7ffcb57dab78
        5⤵
        
        PID:3164
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1912,i,12873283290758889524,363630493601861675,131072 /prefetch:2
        5⤵
        
        PID:4424
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1900 --field-trial-handle=1912,i,12873283290758889524,363630493601861675,131072 /prefetch:8
        5⤵
        
        PID:3492
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1912,i,12873283290758889524,363630493601861675,131072 /prefetch:8
        5⤵
        
        PID:4608
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1912,i,12873283290758889524,363630493601861675,131072 /prefetch:1
        5⤵
        
        PID:2532
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1912,i,12873283290758889524,363630493601861675,131072 /prefetch:1
        5⤵
        
        PID:5016
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4168 --field-trial-handle=1912,i,12873283290758889524,363630493601861675,131072 /prefetch:1
        5⤵
        
        PID:2716
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3212 --field-trial-handle=1912,i,12873283290758889524,363630493601861675,131072 /prefetch:8
        5⤵
        
        PID:2112
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4380 --field-trial-handle=1912,i,12873283290758889524,363630493601861675,131072 /prefetch:8
        5⤵
        
        PID:5060
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1912,i,12873283290758889524,363630493601861675,131072 /prefetch:8
        5⤵
        
        PID:5072
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1500 --field-trial-handle=1912,i,12873283290758889524,363630493601861675,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1384

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
eb4bafb6a303e0992a5dbedbd70ee89e

SHA1
8127ca2c372e2d80605d982161525bd50cfcaaef

SHA256
d190b9d7d4337f2c89b762371332ef0715867f97465c8ecb68c6f175d23cca59

SHA512
400e7ad415238117be277662f744b022f01295661775a853aa87f32c586ec0cbcc3ffe51a5bd4c446c69bc5a0d6b6fbf186eeb7609ebf517dd958a5e81c45126

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b2761c01c0e8743fe8f3e985b221e9b2

SHA1
913809ed3af8dace783c07c1285ec099e892b7e7

SHA256
b06ed51f81a5bbaded89c8871ffd12c31dc3e90ef8c005506364a3847da865ff

SHA512
2bc05bb9cb9f6670278c178d7f8f3b1855457906eac156c4536dcaf99cd98fe2d1d832cf0b1e551648e2de9870cd1451f951f9974eba20662a69b0553d2fce05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
176fd268d2e4dc00bb68718b656c69ab

SHA1
080e70fa04745306a31e9f39036594bbfa2c5de3

SHA256
46f7d6346f28827f8195d6377b8a5304a3495e59b82f3bbb9c5026356f2036c5

SHA512
e5a107292a63b413b6522c0c57ea44e0f46913e7b0f1eb604862d8358dcf5c3259b08cbcf8f50efec3bff302fd47f8d513a0ff7ff33becf277654629bd1da0c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
0be7361c5663c287b91b0832dada8c09

SHA1
2d3215d5d7173b68541de7404cf6d206174233c6

SHA256
45b06045f02fed89252141d0034cca6973ad36e46c39f255f88d7a28044b944e

SHA512
960b2d9d7fb12d37339c7df0fc7b8696a1458f7f0f2b47d2c0509dede6544ee818cd162ba557dcc825c0a8a055bec253ced79b31a1093aca6e581b139c99d52a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
01cebeed9e87c223cf103f22655dfccf

SHA1
2b3b88da506d01c292e78340b964222a07768005

SHA256
1cae7d445fafc28b176ccb5e5e805d7da8dc4a1ebaee8289de4cd89a0ec63809

SHA512
1a860a357d42d5408ae55479728b7dcaede71e0e06accde1f10aa0087888bd8becaf13411d992e296d875593867e19a9d5e3115920fc63dbfb19373dc132a650

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
8ab5f7e2e14b41279ae3dbb632985900

SHA1
a8b8b36664c0e0fb8fa8b085275efa57dfb1744c

SHA256
5f7eb7cc2b052dfd9cce23bba9d55afaf152898bdb83d7652809ec6d4e52f208

SHA512
3f62a61139404f5e154222196ff8fdbf9562162622e4c2ff512d4fbed00e0c2b924670ad670a1b6ea8158c712e54e6f9ef8ef13c26a0c79f59bd12e387a8649e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
271KB

MD5
a6bdac512d79374eb9078cee0cec1d45

SHA1
3763c5452fa2695976b7d617b85b35862325e76f

SHA256
9c5f184e4b70e3d752f2d34873c0d50a48dcd55c0395e1c31e3a5c0466ff6b51

SHA512
20f77c3579ab00628e0b8593f7ca10dc9aaf67726a02b2063b99fbe231b8dd98b57ba608dde72ba464dca81f6f5baaf29952cbff99838121fbf51a0d14fc9e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\d10f27310b.exe

Filesize
2.3MB

MD5
c4321f4901b4272f2d51aa2b3da1e5e3

SHA1
5cb61427ee213070cab21415d4dc84bf232f0bbc

SHA256
53f96c9b90d516e965a51b6ccbdbe8067ae3af02d57ee1be98266862ccb3421e

SHA512
4c7c5221e5f0a8fee2a2d671fd8b132bc635bfd9977cbb788f72df7011ac31d1da361d6ed6e2e5489439a43948cb2efb4f2610c1505c8a7ecfdb0726f372bce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\5e1a82ad78.exe

Filesize
2.3MB

MD5
209916ea8e2c521e4cea854aa6c40f88

SHA1
c1a20ba139f75b2b8de1b8405161d4a461803d3d

SHA256
463a99fba1dafa18713503a22c8202e108661e4206b2c21218d4e19ef2dce286

SHA512
45cc2bb839a39de5e8a871d558b3c4827940d10150ccdea02ea9a8df0a4164fe4394a7d2576e2fd3ddf4401ce5eb2d288e0f3144e5f7826179aff7fd21183f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
6c580737fcc23a9ed675109cfca13b36

SHA1
b95e037a212f638938536121a39edfdcd77e8873

SHA256
495113737ea4a93fda56b460b00a086c6bfe1493234fc9593ea28db53f836b67

SHA512
9b5665671b9589df20a16a6f472d4500ffc1f4282911f1829ae3380da195951dd9c60cfd18127ae1cced5dac00472e2017aef13bc55035e96f51de13c72fb7c2

Download Submit
memory/1216-150-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-130-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-172-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-21-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-20-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-112-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-208-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-206-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-19-0x00000000009E1000-0x0000000000A0F000-memory.dmp

Filesize
184KB

Download
memory/1216-167-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-18-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-188-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-133-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-169-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-139-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-199-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-197-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-195-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-156-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1216-190-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1384-155-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1384-154-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/1892-5-0x0000000000150000-0x0000000000614000-memory.dmp

Filesize
4.8MB

Download
memory/1892-0-0x0000000000150000-0x0000000000614000-memory.dmp

Filesize
4.8MB

Download
memory/1892-3-0x0000000000150000-0x0000000000614000-memory.dmp

Filesize
4.8MB

Download
memory/1892-2-0x0000000000151000-0x000000000017F000-memory.dmp

Filesize
184KB

Download
memory/1892-17-0x0000000000150000-0x0000000000614000-memory.dmp

Filesize
4.8MB

Download
memory/1892-1-0x0000000076FB6000-0x0000000076FB8000-memory.dmp

Filesize
8KB

Download
memory/2768-193-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/2768-194-0x00000000009E0000-0x0000000000EA4000-memory.dmp

Filesize
4.8MB

Download
memory/3080-200-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3080-142-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3080-157-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3080-152-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3080-189-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3080-218-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3080-191-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3080-42-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3080-113-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3080-173-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3080-198-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3080-143-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3080-196-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3080-168-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3080-170-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3080-207-0x0000000000350000-0x0000000000924000-memory.dmp

Filesize
5.8MB

Download
memory/3612-114-0x00000000007B0000-0x0000000000D11000-memory.dmp

Filesize
5.4MB

Download
memory/3612-144-0x00000000007B0000-0x0000000000D11000-memory.dmp

Filesize
5.4MB

Download
memory/3612-60-0x00000000007B0000-0x0000000000D11000-memory.dmp

Filesize
5.4MB

Download
memory/3612-151-0x00000000007B0000-0x0000000000D11000-memory.dmp

Filesize
5.4MB

Download