amadey | 412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
23-06-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4.exe
Size

1.8MB
MD5

030e11f35942e7c1349fb315294055da
SHA1

cea9a08c8cda1a6d381b15bc50f346cab4d25dcf
SHA256

412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4
SHA512

5c455916916e45c6ae4152867681c8561e1b4f1157c17e7c4ffc1b86c9f860eff139bf50232c2659bfc31d6c859b933fbdcaa90f0c1acaac3d38de5733efe7dc
SSDEEP

49152:Z/HCBKKjTRSY3JEfYqwW8MtEtHOgUNiIj:ZPOPkkJgN8MtA5UwI

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e15fe8e1ba.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d389c2aba7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d389c2aba7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e15fe8e1ba.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e15fe8e1ba.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d389c2aba7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Executes dropped EXE 5 IoCs

pid	Process
4500	explortu.exe
4932	e15fe8e1ba.exe
3436	d389c2aba7.exe
4700	explortu.exe
3316	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	e15fe8e1ba.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	d389c2aba7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\e15fe8e1ba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\e15fe8e1ba.exe"	explortu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3436-116-0x0000000000F90000-0x00000000014F3000-memory.dmp	autoit_exe
behavioral2/memory/3436-150-0x0000000000F90000-0x00000000014F3000-memory.dmp	autoit_exe
behavioral2/memory/3436-156-0x0000000000F90000-0x00000000014F3000-memory.dmp	autoit_exe
behavioral2/memory/3436-157-0x0000000000F90000-0x00000000014F3000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4184	412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4.exe
4500	explortu.exe
4932	e15fe8e1ba.exe
3436	d389c2aba7.exe
4700	explortu.exe
3316	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636386278340070"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4184	412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4.exe
4184	412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4.exe
4500	explortu.exe
4500	explortu.exe
4932	e15fe8e1ba.exe
4932	e15fe8e1ba.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
2132	chrome.exe
2132	chrome.exe
4700	explortu.exe
4700	explortu.exe
3316	explortu.exe
3316	explortu.exe
4364	chrome.exe
4364	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeCreatePagefilePrivilege	2132	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3436	d389c2aba7.exe
3436	d389c2aba7.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
2132	chrome.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3436	d389c2aba7.exe
3436	d389c2aba7.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe
3436	d389c2aba7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 4500	4184	412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4.exe	81
PID 4184 wrote to memory of 4500	4184	412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4.exe	81
PID 4184 wrote to memory of 4500	4184	412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4.exe	81
PID 4500 wrote to memory of 1640	4500	explortu.exe	82
PID 4500 wrote to memory of 1640	4500	explortu.exe	82
PID 4500 wrote to memory of 1640	4500	explortu.exe	82
PID 4500 wrote to memory of 4932	4500	explortu.exe	83
PID 4500 wrote to memory of 4932	4500	explortu.exe	83
PID 4500 wrote to memory of 4932	4500	explortu.exe	83
PID 4500 wrote to memory of 3436	4500	explortu.exe	84
PID 4500 wrote to memory of 3436	4500	explortu.exe	84
PID 4500 wrote to memory of 3436	4500	explortu.exe	84
PID 3436 wrote to memory of 2132	3436	d389c2aba7.exe	85
PID 3436 wrote to memory of 2132	3436	d389c2aba7.exe	85
PID 2132 wrote to memory of 3780	2132	chrome.exe	88
PID 2132 wrote to memory of 3780	2132	chrome.exe	88
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 1880	2132	chrome.exe	89
PID 2132 wrote to memory of 3340	2132	chrome.exe	90
PID 2132 wrote to memory of 3340	2132	chrome.exe	90
PID 2132 wrote to memory of 3824	2132	chrome.exe	91
PID 2132 wrote to memory of 3824	2132	chrome.exe	91
PID 2132 wrote to memory of 3824	2132	chrome.exe	91
PID 2132 wrote to memory of 3824	2132	chrome.exe	91
PID 2132 wrote to memory of 3824	2132	chrome.exe	91
PID 2132 wrote to memory of 3824	2132	chrome.exe	91
PID 2132 wrote to memory of 3824	2132	chrome.exe	91
PID 2132 wrote to memory of 3824	2132	chrome.exe	91
PID 2132 wrote to memory of 3824	2132	chrome.exe	91
PID 2132 wrote to memory of 3824	2132	chrome.exe	91
PID 2132 wrote to memory of 3824	2132	chrome.exe	91
PID 2132 wrote to memory of 3824	2132	chrome.exe	91
PID 2132 wrote to memory of 3824	2132	chrome.exe	91
PID 2132 wrote to memory of 3824	2132	chrome.exe	91
PID 2132 wrote to memory of 3824	2132	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4.exe
"C:\Users\Admin\AppData\Local\Temp\412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\1000016001\e15fe8e1ba.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\e15fe8e1ba.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4932
- - C:\Users\Admin\AppData\Local\Temp\1000017001\d389c2aba7.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\d389c2aba7.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc697aab58,0x7ffc697aab68,0x7ffc697aab78
        5⤵
        
        PID:3780
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1768,i,18052064785645114774,11537066828139577809,131072 /prefetch:2
        5⤵
        
        PID:1880
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1768,i,18052064785645114774,11537066828139577809,131072 /prefetch:8
        5⤵
        
        PID:3340
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2116 --field-trial-handle=1768,i,18052064785645114774,11537066828139577809,131072 /prefetch:8
        5⤵
        
        PID:3824
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1768,i,18052064785645114774,11537066828139577809,131072 /prefetch:1
        5⤵
        
        PID:4624
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1768,i,18052064785645114774,11537066828139577809,131072 /prefetch:1
        5⤵
        
        PID:4700
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4168 --field-trial-handle=1768,i,18052064785645114774,11537066828139577809,131072 /prefetch:1
        5⤵
        
        PID:2928
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3224 --field-trial-handle=1768,i,18052064785645114774,11537066828139577809,131072 /prefetch:8
        5⤵
        
        PID:1508
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4436 --field-trial-handle=1768,i,18052064785645114774,11537066828139577809,131072 /prefetch:8
        5⤵
        
        PID:3264
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1768,i,18052064785645114774,11537066828139577809,131072 /prefetch:8
        5⤵
        
        PID:972
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2796 --field-trial-handle=1768,i,18052064785645114774,11537066828139577809,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4364

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4700

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
676b133910be3ffe7a1e3b53fbd2fb62

SHA1
3743e9480a441975a4b6765e36c8754214ee52a2

SHA256
0e6383178af3cac37d520c457c8726e2b8873c24ed8676eeaff9a7d01906ee69

SHA512
410a363f79946ce4092e5df9dff2dfd0002477a8048ee723031caebbb9b26d4e8625e5c026ceca27216eb6184616d973624354fbce903ae004ba3d7c50675b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
cae422f0e4c0002351d4622ca0f0470f

SHA1
8e86466014b97a9c0a17ef35b1374a12a07f7b5b

SHA256
9aa28646e5ff5f4a5d37184b548e8d0e2031ac5a11d3db2ed56a9f621c41811a

SHA512
8c0ba83ec2397d998ef2f07c865fbd3a35c3cf2fe8754e3a9aa989727d3a54e0db525bfae7662d356aefbcaf443f7cc1fc3e3664704a4b3bdee866a6b2fbe16f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e1d70d3621799bf1f822f1eb12c2b871

SHA1
b114fb455ee85485f29f3c956eb89ed59d7b62cf

SHA256
1ba8a0ccc4029abe7b6a623946d0ce43f12e600846eee420c3c4ad50863d651c

SHA512
d249eb219b9b41464512b762b8a701871ab9b59e5bdc6ba06cd419edfbfcf4a3a17aec984a4c31f03eacad6455724a097d790644574891e31802fbe0dd9de6e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
92af8471b010b178ebc3191eb25d90ad

SHA1
d71f2641bf6184e5d313973ccb4e550e5d92eceb

SHA256
81b388bbf44a5b7dad1fa4470b0f929e84a2a8ca479832251b8aae25eeec2b1c

SHA512
9ce0a220c6b8f9fc50db1c384d7f72bfaa1875690b08438d9865fd5b90fa94dad45eeb1cd2bad5494a0dbf032b876adf8fc3c38883e4d4684b132e8d165ff3dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
c149bfa3c7b3b533d6eef67712992851

SHA1
74c63326981932ef98373765c770aa53de20c41e

SHA256
fd3432d4236dfa468ba86664a270fe33aed681e901a7599b137a0bfec6fa95df

SHA512
682bea54ed037d9784486d443910183405da7d77aff7867c3321514fec7215a710ff30bdaaa3bc469032dd0d56a8b35c1e6056b9518531e34a02c09bfd80aacf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4f1b2df87ebafad6832417cc0aa6dd3d

SHA1
57c19efc4d3d2dc5a2b49a39abf21ecf33c281bc

SHA256
4c894a23457aa51073e9676e2d6e1d08837db1ef9c19d7650babbd9fae91dae1

SHA512
523843ae33236dc0d1fef68ad1cfd4aadf900b8e35d834c0d38140d8ea92d20faf51a95697418d1c0ab9a10882795962c93d5702fac13f958c47667732babd6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
8cb29ff3339d39e75f59f330b9556f84

SHA1
e13d13343a3122ecc669d3f7e1c34453c4dafe41

SHA256
511866563c078a5090524d4dfe2e5add275a7fd3632b1cd0aa9ad2906a6114fb

SHA512
92d186d75192d3cca7b7e6b0bc4b4e8aa94ef6fb45d015152fcd52204893877edd06f809e4e19e45fffe14a81e4e25043cccd8d033bab3b394e01828debed100

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
0167bb9c62c17f8577d9877b3157d697

SHA1
0c44bee9d8c3bc6fd2deed77e8f169b92adc24db

SHA256
26a0a56f08e36cdc1642d06125299fd9146c57dc108f30d28fd93ade574ed2bd

SHA512
b30f4cd7f767ac891c64b7613c55970d37b5b673cf0ed8fe1e1ac46f3ad2a139cc250db19f5f7864556a580f33858c23debfdfade31f6d87bf6e90da3bfc1f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\e15fe8e1ba.exe

Filesize
2.3MB

MD5
a1e471e1320cd4ae2f3cb5187ee4c79c

SHA1
76c74e4a19415ead28db340e4301068af740fb05

SHA256
d0b0bed3bd4c05233ed91e46f3222b6810d6b4a88445fe94ea890911b4cb1f44

SHA512
58708c2e5de5b144645aa69e49b38bdfcb400a36154f4b1eb768936f7c3d21ce800df9e283509d4b4f684a6cf9a161e1736f5cbb39e9a0af77d536a962e9092e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\d389c2aba7.exe

Filesize
2.3MB

MD5
eaf81379378ed62dc34cca057cd9f6a9

SHA1
2757aae3a30c43bcb12422de5b243681578b356c

SHA256
8f750962daabaee179f32777f09fc1c539add0073681c54306addceb8551c302

SHA512
2d27c2948317cdd713902bb39300f1b206760c53e80ab4801b7a178f58513abc83e84fc423af6180617198a6ecc2721c77bd6113f1eb26d4edb60e7b782f4fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
030e11f35942e7c1349fb315294055da

SHA1
cea9a08c8cda1a6d381b15bc50f346cab4d25dcf

SHA256
412380dcc88eae77ffc9620026afafff13b8f86e737f3082cae1d8bd88a103f4

SHA512
5c455916916e45c6ae4152867681c8561e1b4f1157c17e7c4ffc1b86c9f860eff139bf50232c2659bfc31d6c859b933fbdcaa90f0c1acaac3d38de5733efe7dc

Download Submit
memory/3316-205-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/3316-206-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/3436-157-0x0000000000F90000-0x00000000014F3000-memory.dmp

Filesize
5.4MB

Download
memory/3436-60-0x0000000000F90000-0x00000000014F3000-memory.dmp

Filesize
5.4MB

Download
memory/3436-156-0x0000000000F90000-0x00000000014F3000-memory.dmp

Filesize
5.4MB

Download
memory/3436-150-0x0000000000F90000-0x00000000014F3000-memory.dmp

Filesize
5.4MB

Download
memory/3436-116-0x0000000000F90000-0x00000000014F3000-memory.dmp

Filesize
5.4MB

Download
memory/4184-17-0x0000000000C60000-0x000000000111B000-memory.dmp

Filesize
4.7MB

Download
memory/4184-0-0x0000000000C60000-0x000000000111B000-memory.dmp

Filesize
4.7MB

Download
memory/4184-5-0x0000000000C60000-0x000000000111B000-memory.dmp

Filesize
4.7MB

Download
memory/4184-3-0x0000000000C60000-0x000000000111B000-memory.dmp

Filesize
4.7MB

Download
memory/4184-2-0x0000000000C61000-0x0000000000C8F000-memory.dmp

Filesize
184KB

Download
memory/4184-1-0x0000000077426000-0x0000000077428000-memory.dmp

Filesize
8KB

Download
memory/4500-149-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-19-0x0000000000571000-0x000000000059F000-memory.dmp

Filesize
184KB

Download
memory/4500-227-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-18-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-115-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-114-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-216-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-61-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-209-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-207-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-159-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-117-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-20-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-202-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-164-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-200-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-175-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-21-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-178-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4500-180-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4700-163-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4700-162-0x0000000000570000-0x0000000000A2B000-memory.dmp

Filesize
4.7MB

Download
memory/4932-160-0x0000000000A70000-0x0000000001073000-memory.dmp

Filesize
6.0MB

Download
memory/4932-158-0x0000000000A70000-0x0000000001073000-memory.dmp

Filesize
6.0MB

Download
memory/4932-201-0x0000000000A70000-0x0000000001073000-memory.dmp

Filesize
6.0MB

Download
memory/4932-199-0x0000000000A70000-0x0000000001073000-memory.dmp

Filesize
6.0MB

Download
memory/4932-203-0x0000000000A70000-0x0000000001073000-memory.dmp

Filesize
6.0MB

Download
memory/4932-176-0x0000000000A70000-0x0000000001073000-memory.dmp

Filesize
6.0MB

Download
memory/4932-179-0x0000000000A70000-0x0000000001073000-memory.dmp

Filesize
6.0MB

Download
memory/4932-174-0x0000000000A70000-0x0000000001073000-memory.dmp

Filesize
6.0MB

Download
memory/4932-208-0x0000000000A70000-0x0000000001073000-memory.dmp

Filesize
6.0MB

Download
memory/4932-42-0x0000000000A70000-0x0000000001073000-memory.dmp

Filesize
6.0MB

Download
memory/4932-210-0x0000000000A70000-0x0000000001073000-memory.dmp

Filesize
6.0MB

Download
memory/4932-113-0x0000000000A70000-0x0000000001073000-memory.dmp

Filesize
6.0MB

Download
memory/4932-217-0x0000000000A70000-0x0000000001073000-memory.dmp

Filesize
6.0MB

Download
memory/4932-148-0x0000000000A70000-0x0000000001073000-memory.dmp

Filesize
6.0MB

Download
memory/4932-147-0x0000000000A70000-0x0000000001073000-memory.dmp

Filesize
6.0MB

Download