amadey | 282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
23-06-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4.exe
Size

1.8MB
MD5

8283d3bf4c491dde6f744e9ef5bc3274
SHA1

554115881ece7ecb07e12cbf5e789cf124064018
SHA256

282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4
SHA512

f2b0547e28864f9bcb4cb43cf27338d59ac40c7a909b8348255d7eebc79ad9b6bcb1b785ce06c88e5dbac4c4be3adbc0d4b4395c5b33c512ee0d844f4fcc7f11
SSDEEP

49152:IGxTqIz/sPpqoluKFY0ojzZoDkIbYuYnNtQQ:IqTqxpq0szZzEYN

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7008acd44c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b90c521208.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b90c521208.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7008acd44c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7008acd44c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b90c521208.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Executes dropped EXE 5 IoCs

pid	Process
4360	explortu.exe
4304	7008acd44c.exe
2812	b90c521208.exe
5048	explortu.exe
2008	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	7008acd44c.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	b90c521208.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\7008acd44c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\7008acd44c.exe"	explortu.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2812-114-0x0000000000300000-0x000000000085B000-memory.dmp	autoit_exe
behavioral2/memory/2812-145-0x0000000000300000-0x000000000085B000-memory.dmp	autoit_exe
behavioral2/memory/2812-151-0x0000000000300000-0x000000000085B000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
916	282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4.exe
4360	explortu.exe
4304	7008acd44c.exe
2812	b90c521208.exe
5048	explortu.exe
2008	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636285385612473"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
916	282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4.exe
916	282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4.exe
4360	explortu.exe
4360	explortu.exe
4304	7008acd44c.exe
4304	7008acd44c.exe
2812	b90c521208.exe
2812	b90c521208.exe
4212	chrome.exe
4212	chrome.exe
5048	explortu.exe
5048	explortu.exe
2008	explortu.exe
2008	explortu.exe
1880	chrome.exe
1880	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
2812	b90c521208.exe
2812	b90c521208.exe
4212	chrome.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe
2812	b90c521208.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 4360	916	282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4.exe	77
PID 916 wrote to memory of 4360	916	282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4.exe	77
PID 916 wrote to memory of 4360	916	282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4.exe	77
PID 4360 wrote to memory of 4456	4360	explortu.exe	78
PID 4360 wrote to memory of 4456	4360	explortu.exe	78
PID 4360 wrote to memory of 4456	4360	explortu.exe	78
PID 4360 wrote to memory of 4304	4360	explortu.exe	79
PID 4360 wrote to memory of 4304	4360	explortu.exe	79
PID 4360 wrote to memory of 4304	4360	explortu.exe	79
PID 4360 wrote to memory of 2812	4360	explortu.exe	80
PID 4360 wrote to memory of 2812	4360	explortu.exe	80
PID 4360 wrote to memory of 2812	4360	explortu.exe	80
PID 2812 wrote to memory of 4212	2812	b90c521208.exe	81
PID 2812 wrote to memory of 4212	2812	b90c521208.exe	81
PID 4212 wrote to memory of 340	4212	chrome.exe	84
PID 4212 wrote to memory of 340	4212	chrome.exe	84
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 1180	4212	chrome.exe	85
PID 4212 wrote to memory of 628	4212	chrome.exe	86
PID 4212 wrote to memory of 628	4212	chrome.exe	86
PID 4212 wrote to memory of 648	4212	chrome.exe	87
PID 4212 wrote to memory of 648	4212	chrome.exe	87
PID 4212 wrote to memory of 648	4212	chrome.exe	87
PID 4212 wrote to memory of 648	4212	chrome.exe	87
PID 4212 wrote to memory of 648	4212	chrome.exe	87
PID 4212 wrote to memory of 648	4212	chrome.exe	87
PID 4212 wrote to memory of 648	4212	chrome.exe	87
PID 4212 wrote to memory of 648	4212	chrome.exe	87
PID 4212 wrote to memory of 648	4212	chrome.exe	87
PID 4212 wrote to memory of 648	4212	chrome.exe	87
PID 4212 wrote to memory of 648	4212	chrome.exe	87
PID 4212 wrote to memory of 648	4212	chrome.exe	87
PID 4212 wrote to memory of 648	4212	chrome.exe	87
PID 4212 wrote to memory of 648	4212	chrome.exe	87
PID 4212 wrote to memory of 648	4212	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4.exe
"C:\Users\Admin\AppData\Local\Temp\282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:4456
- - C:\Users\Admin\AppData\Local\Temp\1000016001\7008acd44c.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\7008acd44c.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4304
- - C:\Users\Admin\AppData\Local\Temp\1000017001\b90c521208.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\b90c521208.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff98349ab58,0x7ff98349ab68,0x7ff98349ab78
        5⤵
        
        PID:340
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1788,i,10859700902750781150,15813396532204615025,131072 /prefetch:2
        5⤵
        
        PID:1180
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1788,i,10859700902750781150,15813396532204615025,131072 /prefetch:8
        5⤵
        
        PID:628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2132 --field-trial-handle=1788,i,10859700902750781150,15813396532204615025,131072 /prefetch:8
        5⤵
        
        PID:648
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1788,i,10859700902750781150,15813396532204615025,131072 /prefetch:1
        5⤵
        
        PID:860
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1788,i,10859700902750781150,15813396532204615025,131072 /prefetch:1
        5⤵
        
        PID:4504
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4136 --field-trial-handle=1788,i,10859700902750781150,15813396532204615025,131072 /prefetch:1
        5⤵
        
        PID:4404
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 --field-trial-handle=1788,i,10859700902750781150,15813396532204615025,131072 /prefetch:8
        5⤵
        
        PID:4732
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3284 --field-trial-handle=1788,i,10859700902750781150,15813396532204615025,131072 /prefetch:8
        5⤵
        
        PID:2052
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 --field-trial-handle=1788,i,10859700902750781150,15813396532204615025,131072 /prefetch:8
        5⤵
        
        PID:2060
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=584 --field-trial-handle=1788,i,10859700902750781150,15813396532204615025,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5048

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
05a947e0ceb06ff6c91bdcddb6332a77

SHA1
03c84adb745bc60b61462071e5027ac1124d1573

SHA256
dcb0d4ceca1612e37364acd6697c870d4caf7be561196185adefd2f85489ea33

SHA512
5c28ae513c54c6a76822f7f8e1c28ee2e408471de72ab55c929743bc4bba57d32c810ff2139b8e9e3d2a8dd3beaeb91950620b5f58deb7b7f92f608776669d61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e5fe137ccced63133cdba58c61b22221

SHA1
af800fd431a93ef2d2a32de67636f3c0a0e38128

SHA256
03746bf4adcbf3e87a1fadc011cf213007cbf16f1606a6421f295ec8f8b768e4

SHA512
63b6ed874a548c6af03c143ed3d04da96f945f781a420a4b52f325699ed8e1d5dc160226aab84e10697545cf309f4afdfdb9aa070ce91013f2c8b2bde584e08f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
eb1f16ab2a9bd4fe3a059159ed69ef6b

SHA1
92b151b75309c5c6515eabe249e57f79768e04ad

SHA256
869fe4f63a245af18add15891914dadc18a0de1d8ce289b16de8965bcd5eab36

SHA512
aacaf5136f34ebc918977b62bdbef76143e6b76836a84e9efa02cf8995f1395ffd31f20b92decda1b56e66352fe046f1479f01bf2721f1b963368deddc8eac5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
8f9507ebe2cae09a41c4ac8fbf96f037

SHA1
7e1f4991cd6e93f0f46102370f6f0ac3fdd82676

SHA256
ded6686f34d9d9dd99c75b1fd872a5ff5a90a7e897d74e5f7afc7082ae6cf532

SHA512
ce45b02c7332015fb6bcb85adacfc290e3f044e99dc5742f4258b9d7e5d041137033e94a964d4d9063ea1891a54a6e237390dd6c79c82c7d9c50f808b696fa94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e056da0f79e1c355df08a7f0f52d6066

SHA1
fffa2e265d62a94527b0a453d6a9d00df23529ae

SHA256
ae326325c2f71a2a3008c4cbeee7bdb19df7abd2da741fadc6387036170389d8

SHA512
96de94727079598fa313af5a53a91d7e8bc3350e106d41186bc80d15c86fb7488d4e10eed9abd3d5b30d309be91b50366a5d5abb4f34cc74923249bc16a000d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
cae4908932013750e5e1248636a40499

SHA1
c5c734523204f11cfa298499e9b71d396ac06fc4

SHA256
3b45e9744c80d2be4a59d5a80fa9521e3b22a1c81fc52e351da58cacc53c608a

SHA512
241e560ad6eaa9bb63e4818a51863edcea419414b212a09d647e0822a295458b7afd235878bf597725efecc1373a6910f7a4d00a467611999ec1b142195d7e41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
271KB

MD5
f507ae64c07214bb400e02163281c45c

SHA1
639b7b0b9bfa6ac90561c41e1625cd1003e9c666

SHA256
82b35488dbafcbaff9c765b87526221e2b6f54b7f5824d38fd22ca9b191b6ee2

SHA512
ab93dfb070bbe2d3bd8d2dbf350612e3c8fd412f2f08d5d2abb7c0bf4a243e22202504dde367cfe8432a7b42c91ae51768d5b8204de00f0db54a2fb1cdca086a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\7008acd44c.exe

Filesize
2.3MB

MD5
9437d6cf2745f8683c3aa908e01b03cf

SHA1
4b954d00882c8249d11b61440976b2993ae4738a

SHA256
d3d0eeab1a06460ed303b065248db53d47bfd5c253324b0d2f9efcc2dc700a47

SHA512
8f8ef99107b126d82d5545ed8108fd1ecb6c3b743134766a1c213ee0667cadd1f0f0add0a3f2b111d990e45cd2a10480eb2dd44276cc4956f3dbaa5ea46f2f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\b90c521208.exe

Filesize
2.3MB

MD5
3a19408e4e0022353e4c95a987683d54

SHA1
893871492ca11e325e6f21305c8838f0bc225cf6

SHA256
ecc605bef4a5cbd450aa2ffc40c344b463661345dcf885ae9f07afdfb690e50b

SHA512
5eaf7bb6838ec33ccba8ab3b1366dc0994efad2584737c3e71cff4087dab3b1f99eb7338eabd9869500cf0ab8a8ed4b1d93828aca549e849eae712d007cc1593

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
8283d3bf4c491dde6f744e9ef5bc3274

SHA1
554115881ece7ecb07e12cbf5e789cf124064018

SHA256
282d39c4e359f69b5f4d9ffef2ae9686b841c33fe188faddf3843d84b4178cb4

SHA512
f2b0547e28864f9bcb4cb43cf27338d59ac40c7a909b8348255d7eebc79ad9b6bcb1b785ce06c88e5dbac4c4be3adbc0d4b4395c5b33c512ee0d844f4fcc7f11

Download Submit
memory/916-17-0x0000000000AE0000-0x0000000000F9B000-memory.dmp

Filesize
4.7MB

Download
memory/916-0-0x0000000000AE0000-0x0000000000F9B000-memory.dmp

Filesize
4.7MB

Download
memory/916-5-0x0000000000AE0000-0x0000000000F9B000-memory.dmp

Filesize
4.7MB

Download
memory/916-3-0x0000000000AE0000-0x0000000000F9B000-memory.dmp

Filesize
4.7MB

Download
memory/916-2-0x0000000000AE1000-0x0000000000B0F000-memory.dmp

Filesize
184KB

Download
memory/916-1-0x00000000772C6000-0x00000000772C8000-memory.dmp

Filesize
8KB

Download
memory/2008-197-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/2008-198-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/2812-145-0x0000000000300000-0x000000000085B000-memory.dmp

Filesize
5.4MB

Download
memory/2812-60-0x0000000000300000-0x000000000085B000-memory.dmp

Filesize
5.4MB

Download
memory/2812-114-0x0000000000300000-0x000000000085B000-memory.dmp

Filesize
5.4MB

Download
memory/2812-151-0x0000000000300000-0x000000000085B000-memory.dmp

Filesize
5.4MB

Download
memory/4304-170-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4304-113-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4304-218-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4304-142-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4304-143-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4304-173-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4304-207-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4304-42-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4304-200-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4304-152-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4304-196-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4304-154-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4304-193-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4304-191-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4304-189-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4304-168-0x0000000000760000-0x0000000000D50000-memory.dmp

Filesize
5.9MB

Download
memory/4360-18-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-172-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-169-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-134-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-192-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-188-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-107-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-190-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-144-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-21-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-164-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-194-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-20-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-153-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-19-0x0000000000531000-0x000000000055F000-memory.dmp

Filesize
184KB

Download
memory/4360-199-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-115-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-206-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-133-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/4360-208-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/5048-166-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download
memory/5048-167-0x0000000000530000-0x00000000009EB000-memory.dmp

Filesize
4.7MB

Download