amadey | 244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
23-06-2024 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445.exe
Size

1.8MB
MD5

66f47ac2840baefdd81971cd13203e8d
SHA1

6f3e137e99b0ac70d633118f979424d329701f4c
SHA256

244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445
SHA512

1f50da7ef3464e2934f1b51a254c87c672b451e207957d8a6c1ab2fa703f8ec925938c8c1364b0fa412fa0c2595a3b170de1b8f7ff88e1b91709254342e38f1f
SSDEEP

49152:GGmEkUQVO+Yz3SW/qh7AyCMGCIbcshcunEpN:tmEkU2A3jqUC+hznEp

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6db52e5cd5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	13002e093b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	13002e093b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6db52e5cd5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6db52e5cd5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	13002e093b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Executes dropped EXE 5 IoCs

pid	Process
3768	explortu.exe
1068	6db52e5cd5.exe
1152	13002e093b.exe
4268	explortu.exe
3240	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	6db52e5cd5.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	13002e093b.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\6db52e5cd5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\6db52e5cd5.exe"	explortu.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1152-133-0x00000000004B0000-0x00000000009F9000-memory.dmp	autoit_exe
behavioral2/memory/1152-144-0x00000000004B0000-0x00000000009F9000-memory.dmp	autoit_exe
behavioral2/memory/1152-151-0x00000000004B0000-0x00000000009F9000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
888	244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445.exe
3768	explortu.exe
1068	6db52e5cd5.exe
1152	13002e093b.exe
4268	explortu.exe
3240	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636603414670070"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
888	244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445.exe
888	244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445.exe
3768	explortu.exe
3768	explortu.exe
1068	6db52e5cd5.exe
1068	6db52e5cd5.exe
1152	13002e093b.exe
1152	13002e093b.exe
1376	chrome.exe
1376	chrome.exe
4268	explortu.exe
4268	explortu.exe
3240	explortu.exe
3240	explortu.exe
2780	chrome.exe
2780	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe
Token: SeShutdownPrivilege	1376	chrome.exe
Token: SeCreatePagefilePrivilege	1376	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
1152	13002e093b.exe
1152	13002e093b.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1152	13002e093b.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1152	13002e093b.exe
1376	chrome.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1152	13002e093b.exe
1152	13002e093b.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1152	13002e093b.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe
1152	13002e093b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 3768	888	244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445.exe	77
PID 888 wrote to memory of 3768	888	244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445.exe	77
PID 888 wrote to memory of 3768	888	244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445.exe	77
PID 3768 wrote to memory of 2312	3768	explortu.exe	78
PID 3768 wrote to memory of 2312	3768	explortu.exe	78
PID 3768 wrote to memory of 2312	3768	explortu.exe	78
PID 3768 wrote to memory of 1068	3768	explortu.exe	79
PID 3768 wrote to memory of 1068	3768	explortu.exe	79
PID 3768 wrote to memory of 1068	3768	explortu.exe	79
PID 3768 wrote to memory of 1152	3768	explortu.exe	80
PID 3768 wrote to memory of 1152	3768	explortu.exe	80
PID 3768 wrote to memory of 1152	3768	explortu.exe	80
PID 1152 wrote to memory of 1376	1152	13002e093b.exe	81
PID 1152 wrote to memory of 1376	1152	13002e093b.exe	81
PID 1376 wrote to memory of 1448	1376	chrome.exe	84
PID 1376 wrote to memory of 1448	1376	chrome.exe	84
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1456	1376	chrome.exe	85
PID 1376 wrote to memory of 1416	1376	chrome.exe	86
PID 1376 wrote to memory of 1416	1376	chrome.exe	86
PID 1376 wrote to memory of 1108	1376	chrome.exe	87
PID 1376 wrote to memory of 1108	1376	chrome.exe	87
PID 1376 wrote to memory of 1108	1376	chrome.exe	87
PID 1376 wrote to memory of 1108	1376	chrome.exe	87
PID 1376 wrote to memory of 1108	1376	chrome.exe	87
PID 1376 wrote to memory of 1108	1376	chrome.exe	87
PID 1376 wrote to memory of 1108	1376	chrome.exe	87
PID 1376 wrote to memory of 1108	1376	chrome.exe	87
PID 1376 wrote to memory of 1108	1376	chrome.exe	87
PID 1376 wrote to memory of 1108	1376	chrome.exe	87
PID 1376 wrote to memory of 1108	1376	chrome.exe	87
PID 1376 wrote to memory of 1108	1376	chrome.exe	87
PID 1376 wrote to memory of 1108	1376	chrome.exe	87
PID 1376 wrote to memory of 1108	1376	chrome.exe	87
PID 1376 wrote to memory of 1108	1376	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445.exe
"C:\Users\Admin\AppData\Local\Temp\244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:2312
- - C:\Users\Admin\AppData\Local\Temp\1000016001\6db52e5cd5.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\6db52e5cd5.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1068
- - C:\Users\Admin\AppData\Local\Temp\1000017001\13002e093b.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\13002e093b.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1376
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9a5c4ab58,0x7ff9a5c4ab68,0x7ff9a5c4ab78
        5⤵
        
        PID:1448
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1952,i,8679809432900115462,15138934451575741306,131072 /prefetch:2
        5⤵
        
        PID:1456
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=1952,i,8679809432900115462,15138934451575741306,131072 /prefetch:8
        5⤵
        
        PID:1416
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1952,i,8679809432900115462,15138934451575741306,131072 /prefetch:8
        5⤵
        
        PID:1108
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1952,i,8679809432900115462,15138934451575741306,131072 /prefetch:1
        5⤵
        
        PID:488
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1952,i,8679809432900115462,15138934451575741306,131072 /prefetch:1
        5⤵
        
        PID:1092
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3112 --field-trial-handle=1952,i,8679809432900115462,15138934451575741306,131072 /prefetch:1
        5⤵
        
        PID:1524
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 --field-trial-handle=1952,i,8679809432900115462,15138934451575741306,131072 /prefetch:8
        5⤵
        
        PID:4644
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4352 --field-trial-handle=1952,i,8679809432900115462,15138934451575741306,131072 /prefetch:8
        5⤵
        
        PID:4964
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1952,i,8679809432900115462,15138934451575741306,131072 /prefetch:8
        5⤵
        
        PID:972
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1952,i,8679809432900115462,15138934451575741306,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2780

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4268

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
bdefa7c6f508502582e173de66808480

SHA1
417a6d424a4dcd7c5a7ff31d6c2a52b63c91d7e5

SHA256
36574c684a0a3976802108a2ac3e2a26821c21fbbf0a23e536c540e6c6136b91

SHA512
e8abda1cd49b9fa6a037b6395dc98d95d2f5fff58d6dcc012edbb317db344c39a6455c21a3e33c3d3c338c8a0519ff0c438ff1d0bcf9c1bab2499643cea75e4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7c53bf9f94b5e8ca15d352e519b5a526

SHA1
fde65a30985bbce08decbd9d49c2e0d3480cdc40

SHA256
69cb5910198e072784676090b290f09695b7c250373d2a5758d7fc9086044fbd

SHA512
cf31cd055cc888fe8891b69810e857214e439546df14bbcd367c7d85335419e59f945cd3e0900659771f76584f2db1a797981c60015f0caf137cfa52d9dc1cd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
652af5f83d8ad1d4c66e3bbb2cc51243

SHA1
92762ef7fc4b8ceaaabe9bec8e2d7618b2eb49da

SHA256
95bcc7c63373512f7884904d0ff654356a81c97c1cec4032a157c4543027dc1b

SHA512
5b2cf110b96830be0539f009ffa959e6c5ab414579aaec4c70e45c814aa8901fe2937ab716edc39fe6386799782e910a7ddaadf24caedcc206f90a87ac63f03e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
f761a7e466e3dbc2d859392b8ca46c1a

SHA1
c4112119011bd11a7a9327ae260e0069add168d3

SHA256
b85b168c2c970313c3b5671c6ab0db48abcef0b38c7eab767e04742aa5fde356

SHA512
ad533c53b1e1cefa5236674ec72bd3b6a3b1ab48448584f52a8001e0a39f377d64f9960260f6a89ad07dc0e385154adfaa6bfaf45021255c9227742fdd0e8e69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
65b2a7ce503b038bf9e91c2a57409cde

SHA1
46a0695f44f2017ad2de3099f18444bf1425274a

SHA256
455e8d56c0def1b1ed61c9fff635f03d232e31f2e5e6528b1eba44886b62d89c

SHA512
88fe868b11a7477b2877f92ff55c5413e1b734d32536f044db18551e999ae9524e6d78659a4515850997cc4231b2a06bc8265c3f30cbaeee7270f7aa5f964076

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
5b86456157ac753a2ec7cfe6b77d647d

SHA1
5238d7b62a5e8566053e48c32f6f6ea4b288d449

SHA256
a05923113dd645fe80b2547b313b80d4a3b7655ab8e71f31edaf642c8c346b9d

SHA512
c2bf3afeb8a86ec1ee67fb6e2486ccb35b481af355d0b9cf6ef30861ddb25babeb4fef36b00d42c8ef89395f79e39d6222c7f10eed775904ae97ca7dd74c532c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
271KB

MD5
fbfc60d3fd1a8d4a93bc5429da16a4bb

SHA1
79c9e3723c82108398b2e791430197b845776654

SHA256
e22b731b7b2ed1faf485f1ebeec9a19a6876d79f5d139c32fb92b4be1dfc5df2

SHA512
dca94f20f75c24c5f7f238c220643ceab352b4970378661d41146f982160c83ef63cfc88ec01154d06a21da4dd28e8a4b28491b94648fb42a1c07e5fdbc777dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\6db52e5cd5.exe

Filesize
2.3MB

MD5
896239efa1356ca2abff090e7b22df71

SHA1
9e630702beeae53e2f8f9fcaff62e9bdd6d2c1fb

SHA256
87b128f0266a64e1aec966b3daea5ea180920960a35313e6bc4538a6d8b9e191

SHA512
e6a1f0bd7db41d61543687b8e556a7a4cc97c9bc65d1564823b5ec556712824ca46e6b755149632908bebd732ec303d7514327c1281161348939a0a3a76dc923

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\13002e093b.exe

Filesize
2.2MB

MD5
783d2e1bd21598ace9f11de6a48a87a5

SHA1
ebc95ad120a60fa2008336f92c9d4176a4129e89

SHA256
e8e886949270adc21171f3da304ce0fd4374ad184af9f72dc63d1bcced3b0bbe

SHA512
4fe1e1c40337006349d3c1773c585fe5c7276638f4ee126b1b4f59f79ee9bc0fd3544b7707617d57ed6418a9606bf3e5808c2f8dd20e39bddd1ccf348509a700

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
66f47ac2840baefdd81971cd13203e8d

SHA1
6f3e137e99b0ac70d633118f979424d329701f4c

SHA256
244e9d35709d1b2b268e622755f2c954826c50bf647b834e603c2ef5d74cc445

SHA512
1f50da7ef3464e2934f1b51a254c87c672b451e207957d8a6c1ab2fa703f8ec925938c8c1364b0fa412fa0c2595a3b170de1b8f7ff88e1b91709254342e38f1f

Download Submit
memory/888-5-0x0000000000B10000-0x0000000000FDA000-memory.dmp

Filesize
4.8MB

Download
memory/888-0-0x0000000000B10000-0x0000000000FDA000-memory.dmp

Filesize
4.8MB

Download
memory/888-17-0x0000000000B10000-0x0000000000FDA000-memory.dmp

Filesize
4.8MB

Download
memory/888-3-0x0000000000B10000-0x0000000000FDA000-memory.dmp

Filesize
4.8MB

Download
memory/888-2-0x0000000000B11000-0x0000000000B3F000-memory.dmp

Filesize
184KB

Download
memory/888-1-0x0000000077A06000-0x0000000077A08000-memory.dmp

Filesize
8KB

Download
memory/1068-189-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1068-154-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1068-113-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1068-218-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1068-207-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1068-200-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1068-198-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1068-193-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1068-42-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1068-142-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1068-143-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1068-191-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1068-173-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1068-170-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1068-168-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1068-152-0x00000000004E0000-0x0000000000AD9000-memory.dmp

Filesize
6.0MB

Download
memory/1152-144-0x00000000004B0000-0x00000000009F9000-memory.dmp

Filesize
5.3MB

Download
memory/1152-133-0x00000000004B0000-0x00000000009F9000-memory.dmp

Filesize
5.3MB

Download
memory/1152-60-0x00000000004B0000-0x00000000009F9000-memory.dmp

Filesize
5.3MB

Download
memory/1152-151-0x00000000004B0000-0x00000000009F9000-memory.dmp

Filesize
5.3MB

Download
memory/3240-197-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3240-196-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-150-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-194-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-172-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-21-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-20-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-188-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-19-0x0000000000F01000-0x0000000000F2F000-memory.dmp

Filesize
184KB

Download
memory/3768-190-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-114-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-192-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-169-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-153-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-107-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-18-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-132-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-199-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-134-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-206-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-164-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/3768-208-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/4268-166-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download
memory/4268-167-0x0000000000F00000-0x00000000013CA000-memory.dmp

Filesize
4.8MB

Download