amadey | 16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
23-06-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744.exe
Size

1.8MB
MD5

b14a74c894dfb0897344d10e4bb61d00
SHA1

bd307d455e5ed81e10b32f96fac126172c575fe9
SHA256

16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744
SHA512

a352f1e45e4442208cf7a559320d0e8000b41bfe8b84327c836e151507566fda53a279b310c485b10571f84f0108409f8495bd19dd1170cc84648f99352cf873
SSDEEP

49152:gOooOuVgUCStfe1JvOloNeYIRu3aCog9BxIvVlr:Noo7VZ/fqvGuoRe/B6

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7b8ceacbb2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	35289505b6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7b8ceacbb2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	35289505b6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	35289505b6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7b8ceacbb2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe

Executes dropped EXE 6 IoCs

pid	Process
2672	explortu.exe
2724	7b8ceacbb2.exe
724	35289505b6.exe
3132	explortu.exe
2944	explortu.exe
1936	explortu.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	7b8ceacbb2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	35289505b6.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\7b8ceacbb2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\7b8ceacbb2.exe"	explortu.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/724-118-0x0000000000EF0000-0x0000000001459000-memory.dmp	autoit_exe
behavioral2/memory/724-148-0x0000000000EF0000-0x0000000001459000-memory.dmp	autoit_exe
behavioral2/memory/724-155-0x0000000000EF0000-0x0000000001459000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
1124	16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744.exe
2672	explortu.exe
2724	7b8ceacbb2.exe
724	35289505b6.exe
3132	explortu.exe
2944	explortu.exe
1936	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636336254763037"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1124	16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744.exe
1124	16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744.exe
2672	explortu.exe
2672	explortu.exe
2724	7b8ceacbb2.exe
2724	7b8ceacbb2.exe
724	35289505b6.exe
724	35289505b6.exe
3132	explortu.exe
3132	explortu.exe
3472	chrome.exe
3472	chrome.exe
2944	explortu.exe
2944	explortu.exe
1960	chrome.exe
1960	chrome.exe
1936	explortu.exe
1936	explortu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe
Token: SeShutdownPrivilege	3472	chrome.exe
Token: SeCreatePagefilePrivilege	3472	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
724	35289505b6.exe
724	35289505b6.exe
3472	chrome.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
3472	chrome.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe
724	35289505b6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 2672	1124	16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744.exe	80
PID 1124 wrote to memory of 2672	1124	16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744.exe	80
PID 1124 wrote to memory of 2672	1124	16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744.exe	80
PID 2672 wrote to memory of 2876	2672	explortu.exe	81
PID 2672 wrote to memory of 2876	2672	explortu.exe	81
PID 2672 wrote to memory of 2876	2672	explortu.exe	81
PID 2672 wrote to memory of 2724	2672	explortu.exe	82
PID 2672 wrote to memory of 2724	2672	explortu.exe	82
PID 2672 wrote to memory of 2724	2672	explortu.exe	82
PID 2672 wrote to memory of 724	2672	explortu.exe	83
PID 2672 wrote to memory of 724	2672	explortu.exe	83
PID 2672 wrote to memory of 724	2672	explortu.exe	83
PID 724 wrote to memory of 3472	724	35289505b6.exe	85
PID 724 wrote to memory of 3472	724	35289505b6.exe	85
PID 3472 wrote to memory of 5008	3472	chrome.exe	88
PID 3472 wrote to memory of 5008	3472	chrome.exe	88
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 500	3472	chrome.exe	89
PID 3472 wrote to memory of 3656	3472	chrome.exe	90
PID 3472 wrote to memory of 3656	3472	chrome.exe	90
PID 3472 wrote to memory of 3252	3472	chrome.exe	91
PID 3472 wrote to memory of 3252	3472	chrome.exe	91
PID 3472 wrote to memory of 3252	3472	chrome.exe	91
PID 3472 wrote to memory of 3252	3472	chrome.exe	91
PID 3472 wrote to memory of 3252	3472	chrome.exe	91
PID 3472 wrote to memory of 3252	3472	chrome.exe	91
PID 3472 wrote to memory of 3252	3472	chrome.exe	91
PID 3472 wrote to memory of 3252	3472	chrome.exe	91
PID 3472 wrote to memory of 3252	3472	chrome.exe	91
PID 3472 wrote to memory of 3252	3472	chrome.exe	91
PID 3472 wrote to memory of 3252	3472	chrome.exe	91
PID 3472 wrote to memory of 3252	3472	chrome.exe	91
PID 3472 wrote to memory of 3252	3472	chrome.exe	91
PID 3472 wrote to memory of 3252	3472	chrome.exe	91
PID 3472 wrote to memory of 3252	3472	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744.exe
"C:\Users\Admin\AppData\Local\Temp\16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:2876
- - C:\Users\Admin\AppData\Local\Temp\1000016001\7b8ceacbb2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\7b8ceacbb2.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\1000017001\35289505b6.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\35289505b6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:724
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff0c87ab58,0x7fff0c87ab68,0x7fff0c87ab78
        5⤵
        
        PID:5008
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1796,i,4751714985031214196,4923892377917868135,131072 /prefetch:2
        5⤵
        
        PID:500
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1796,i,4751714985031214196,4923892377917868135,131072 /prefetch:8
        5⤵
        
        PID:3656
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1796,i,4751714985031214196,4923892377917868135,131072 /prefetch:8
        5⤵
        
        PID:3252
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1796,i,4751714985031214196,4923892377917868135,131072 /prefetch:1
        5⤵
        
        PID:72
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1796,i,4751714985031214196,4923892377917868135,131072 /prefetch:1
        5⤵
        
        PID:3244
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4216 --field-trial-handle=1796,i,4751714985031214196,4923892377917868135,131072 /prefetch:1
        5⤵
        
        PID:3792
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1796,i,4751714985031214196,4923892377917868135,131072 /prefetch:8
        5⤵
        
        PID:1188
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1796,i,4751714985031214196,4923892377917868135,131072 /prefetch:8
        5⤵
        
        PID:3548
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3192 --field-trial-handle=1796,i,4751714985031214196,4923892377917868135,131072 /prefetch:8
        5⤵
        
        PID:436
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1464 --field-trial-handle=1796,i,4751714985031214196,4923892377917868135,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3132

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
ba29f60e7e16fa9bb4452813d790c178

SHA1
0edd10f761c953c299e5c7a9d0b72adbec983c5b

SHA256
eea4f18672b4a618a965d37bd6114203f1baabde1d47ca004eecec867602a90c

SHA512
91e60c62ceef4776c197b339e0c2e43cbf7e91d27106ff1a4706b625c680585d200e4dbd9990c252b59818cb73f74e91059f19c968572cb03b8f47cf87bd5105

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7cb0fb907129ea14b6837cedac985032

SHA1
d04219eaa8053f9dc97383cf9009248799ebd213

SHA256
412435025a6cfeb010bbf5f67a563b862ca683da8126d586ced9a1b24ba2b07a

SHA512
b719ea70acdac13cf7f6fe6d41a6a88c268213c298882d90707611e3992c1e6551b2b6862aba023756a30e42eb264167266fa9e41e2e808442649a11e2b6139b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
eb7516766407511abef0439716184545

SHA1
f6c77f5e6c1d8e5f153a220152338e41dc86d817

SHA256
abc057cdefa8a8ed3e06ca4fafaa15266aad69d3b9dbea6994b1f108b4d9b340

SHA512
d3145b62917271ff7c2b407686a70020ed52f029edfef0d0ec09eb1ff8d357c90a467a027fe22b501cea1744e28a27411f3f246d83d20e3ad00f25da17cefb94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
27d274b757270c2c9f8177e3f199d2b3

SHA1
ed365b14165a4bf245ca53b297aa4f52e8aab9be

SHA256
08ebdd09aa7227ff5cd626a8db04a16e89d22143c2ea25ecdd76f769c24a5caa

SHA512
577e71d1af9d79a9b41a23ed97394571fd854f8ad901a623c0b931e3e79a1424812153ffb2112afd501e025c24a5fb572998ca4349330d38badd8ea9841cc723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
41f5628bca7154bd0c78ae6498ab593e

SHA1
761e1ccb808843735903e0a1da2e0009e3642894

SHA256
c429ddac90fb1acf06af3c6d534c1db123f1adbc007eef22965b4e5cb747c262

SHA512
0db8edbb314eeaec5094b9dc78a0d4e2405a4295e0d36a00bf116e954a05fb89977922c5c80e1e5014d894871a17e973ee28742a04e40f4f69a52a14b03f5e3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
c0f399e47dfcf704a3ef0f4b6473573a

SHA1
141e954b86ca40fd07e3c0a6e4a6c895b0c5ef22

SHA256
7ae623a7e24b14d876447e34db9e45925f3b314fa2651cd08b731b4b72ac6a53

SHA512
ebf7ead77ca5fce99288539de877e78a451259adec7799864127ed08bc807e6d69a33974c3f36a3c8f8828c4a6a143a12b332d48a6668a8ca27a578d470e1aea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
ee952f6520b9c762fec3c0f8859f5d88

SHA1
dd41d49eb373287d141a32c1fce378f309c3efef

SHA256
b9529a3334336c55d7e3f8f263826f89f22edd7d75600165c9febce6b851b471

SHA512
7c92de3c3f2043e3def9306fb0150747d5b5e771ce825242675ccfddcc0b9126ae652e489fd3434019902c56adb2a146867d3a513555059fd7effb127274c941

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\7b8ceacbb2.exe

Filesize
2.3MB

MD5
9437d6cf2745f8683c3aa908e01b03cf

SHA1
4b954d00882c8249d11b61440976b2993ae4738a

SHA256
d3d0eeab1a06460ed303b065248db53d47bfd5c253324b0d2f9efcc2dc700a47

SHA512
8f8ef99107b126d82d5545ed8108fd1ecb6c3b743134766a1c213ee0667cadd1f0f0add0a3f2b111d990e45cd2a10480eb2dd44276cc4956f3dbaa5ea46f2f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\35289505b6.exe

Filesize
2.3MB

MD5
dcb3d1659acf1a5054d5df5caa2a4442

SHA1
141bb9c4aa3af73775dd2f7d7681d5b2143ca75a

SHA256
49d158cb38566cf0663b80dea0200c7747287a3a68236af79488f694ed7dcf42

SHA512
50f005fa1738acb196e9766b62f3a7649bfeb182eba6444deeb188dd62936017adbb3e72b8671c8bb84dfabf61f178a653310483390e1df6364db5f300012814

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
b14a74c894dfb0897344d10e4bb61d00

SHA1
bd307d455e5ed81e10b32f96fac126172c575fe9

SHA256
16ab3331711e8e05015b68232520d7a037e0d0069d0181d1d4dde9ac81aa7744

SHA512
a352f1e45e4442208cf7a559320d0e8000b41bfe8b84327c836e151507566fda53a279b310c485b10571f84f0108409f8495bd19dd1170cc84648f99352cf873

Download Submit
memory/724-148-0x0000000000EF0000-0x0000000001459000-memory.dmp

Filesize
5.4MB

Download
memory/724-60-0x0000000000EF0000-0x0000000001459000-memory.dmp

Filesize
5.4MB

Download
memory/724-155-0x0000000000EF0000-0x0000000001459000-memory.dmp

Filesize
5.4MB

Download
memory/724-118-0x0000000000EF0000-0x0000000001459000-memory.dmp

Filesize
5.4MB

Download
memory/1124-2-0x0000000000351000-0x000000000037F000-memory.dmp

Filesize
184KB

Download
memory/1124-0-0x0000000000350000-0x0000000000818000-memory.dmp

Filesize
4.8MB

Download
memory/1124-1-0x00000000775D6000-0x00000000775D8000-memory.dmp

Filesize
8KB

Download
memory/1124-5-0x0000000000350000-0x0000000000818000-memory.dmp

Filesize
4.8MB

Download
memory/1124-3-0x0000000000350000-0x0000000000818000-memory.dmp

Filesize
4.8MB

Download
memory/1124-17-0x0000000000350000-0x0000000000818000-memory.dmp

Filesize
4.8MB

Download
memory/1936-203-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/1936-209-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-192-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-20-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-221-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-137-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-116-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-145-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-18-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-210-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-115-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-19-0x0000000000F01000-0x0000000000F2F000-memory.dmp

Filesize
184KB

Download
memory/2672-154-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-176-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-200-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-157-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-119-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-168-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-198-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-170-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-196-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-194-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2672-21-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2724-199-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2724-171-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2724-42-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2724-222-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2724-193-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2724-177-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2724-195-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2724-211-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2724-197-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2724-169-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2724-158-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2724-156-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2724-201-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2724-117-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2724-146-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2724-147-0x0000000000320000-0x0000000000910000-memory.dmp

Filesize
5.9MB

Download
memory/2944-174-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/2944-175-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/3132-73-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download
memory/3132-62-0x0000000000F00000-0x00000000013C8000-memory.dmp

Filesize
4.8MB

Download