amadey | 4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
23-06-2024 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7.exe
Size

1.8MB
MD5

04e82462bcf075c265b35ca3c07ada60
SHA1

b8a06a90dc68a6bd8fe248ba36ddda9caa376b02
SHA256

4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7
SHA512

5c4c7d00e3e80b68693b930f08531e25701f3befd1cc2287bd474edc5807cafc7ac9db6ad628f96356767edd896b329513deb1bca6c540e0c4729fb5225d1de6
SSDEEP

49152:ITPNMCmhUs1QKLPqydSmy7dam9XLDOc27evOXeAr4k97L2:ITPNMhh1D/KDZ6+Sf

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	85c89d948a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0d6eacf2e0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	85c89d948a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0d6eacf2e0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0d6eacf2e0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	85c89d948a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Executes dropped EXE 5 IoCs

pid	Process
4384	explortu.exe
4324	85c89d948a.exe
5056	0d6eacf2e0.exe
236	explortu.exe
5052	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	85c89d948a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	0d6eacf2e0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Run\85c89d948a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\85c89d948a.exe"	explortu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/5056-116-0x0000000000980000-0x0000000000EE4000-memory.dmp	autoit_exe
behavioral2/memory/5056-144-0x0000000000980000-0x0000000000EE4000-memory.dmp	autoit_exe
behavioral2/memory/5056-151-0x0000000000980000-0x0000000000EE4000-memory.dmp	autoit_exe
behavioral2/memory/5056-152-0x0000000000980000-0x0000000000EE4000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1548	4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7.exe
4384	explortu.exe
4324	85c89d948a.exe
5056	0d6eacf2e0.exe
236	explortu.exe
5052	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636464234227668"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1548	4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7.exe
1548	4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7.exe
4384	explortu.exe
4384	explortu.exe
4324	85c89d948a.exe
4324	85c89d948a.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
3764	chrome.exe
3764	chrome.exe
236	explortu.exe
236	explortu.exe
5052	explortu.exe
5052	explortu.exe
4916	chrome.exe
4916	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1548	4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
3764	chrome.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe
5056	0d6eacf2e0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 4384	1548	4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7.exe	81
PID 1548 wrote to memory of 4384	1548	4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7.exe	81
PID 1548 wrote to memory of 4384	1548	4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7.exe	81
PID 4384 wrote to memory of 72	4384	explortu.exe	82
PID 4384 wrote to memory of 72	4384	explortu.exe	82
PID 4384 wrote to memory of 72	4384	explortu.exe	82
PID 4384 wrote to memory of 4324	4384	explortu.exe	83
PID 4384 wrote to memory of 4324	4384	explortu.exe	83
PID 4384 wrote to memory of 4324	4384	explortu.exe	83
PID 4384 wrote to memory of 5056	4384	explortu.exe	84
PID 4384 wrote to memory of 5056	4384	explortu.exe	84
PID 4384 wrote to memory of 5056	4384	explortu.exe	84
PID 5056 wrote to memory of 3764	5056	0d6eacf2e0.exe	85
PID 5056 wrote to memory of 3764	5056	0d6eacf2e0.exe	85
PID 3764 wrote to memory of 1312	3764	chrome.exe	88
PID 3764 wrote to memory of 1312	3764	chrome.exe	88
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 2440	3764	chrome.exe	89
PID 3764 wrote to memory of 3432	3764	chrome.exe	90
PID 3764 wrote to memory of 3432	3764	chrome.exe	90
PID 3764 wrote to memory of 3128	3764	chrome.exe	91
PID 3764 wrote to memory of 3128	3764	chrome.exe	91
PID 3764 wrote to memory of 3128	3764	chrome.exe	91
PID 3764 wrote to memory of 3128	3764	chrome.exe	91
PID 3764 wrote to memory of 3128	3764	chrome.exe	91
PID 3764 wrote to memory of 3128	3764	chrome.exe	91
PID 3764 wrote to memory of 3128	3764	chrome.exe	91
PID 3764 wrote to memory of 3128	3764	chrome.exe	91
PID 3764 wrote to memory of 3128	3764	chrome.exe	91
PID 3764 wrote to memory of 3128	3764	chrome.exe	91
PID 3764 wrote to memory of 3128	3764	chrome.exe	91
PID 3764 wrote to memory of 3128	3764	chrome.exe	91
PID 3764 wrote to memory of 3128	3764	chrome.exe	91
PID 3764 wrote to memory of 3128	3764	chrome.exe	91
PID 3764 wrote to memory of 3128	3764	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7.exe
"C:\Users\Admin\AppData\Local\Temp\4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:72
- - C:\Users\Admin\AppData\Local\Temp\1000016001\85c89d948a.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\85c89d948a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4324
- - C:\Users\Admin\AppData\Local\Temp\1000017001\0d6eacf2e0.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\0d6eacf2e0.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeef9dab58,0x7ffeef9dab68,0x7ffeef9dab78
        5⤵
        
        PID:1312
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1816,i,7744919839718178325,17303038350878133257,131072 /prefetch:2
        5⤵
        
        PID:2440
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=1816,i,7744919839718178325,17303038350878133257,131072 /prefetch:8
        5⤵
        
        PID:3432
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1816,i,7744919839718178325,17303038350878133257,131072 /prefetch:8
        5⤵
        
        PID:3128
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1816,i,7744919839718178325,17303038350878133257,131072 /prefetch:1
        5⤵
        
        PID:1420
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1816,i,7744919839718178325,17303038350878133257,131072 /prefetch:1
        5⤵
        
        PID:2820
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4176 --field-trial-handle=1816,i,7744919839718178325,17303038350878133257,131072 /prefetch:1
        5⤵
        
        PID:2340
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4376 --field-trial-handle=1816,i,7744919839718178325,17303038350878133257,131072 /prefetch:8
        5⤵
        
        PID:1668
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1816,i,7744919839718178325,17303038350878133257,131072 /prefetch:8
        5⤵
        
        PID:4904
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1816,i,7744919839718178325,17303038350878133257,131072 /prefetch:8
        5⤵
        
        PID:2476
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 --field-trial-handle=1816,i,7744919839718178325,17303038350878133257,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4916

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:236

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
6f4c593a1a9eab605cf2a812085766d4

SHA1
096bd0d25cfb0d0c3a6d7439d48a8d293ce624dd

SHA256
6e297ffb98f64f50264a93104c0c93a8b3c1d4694fb725867e630a511fd73e2e

SHA512
a217816377018db3f0f7dbe6bba265998c993dfccfd8bd600a63faeb4ec6c1cb1b75eacd5328e8e84a0b48b4bd653cced30f40010dc441208bfb9020fca8c2e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
e21e5780e63b11c487f2259b41dd73c6

SHA1
ed042ba18005756767695779422ea513da4b6d7a

SHA256
052a18285c26b65404ec6eaeef2ead8eaf59e275101a55c777c894f946d7da30

SHA512
9d69d0d5eb306a26ba165b3a5392c68da1e9ad3d7c1df99a253bcdb5b8fce95bd4cda969737bbccc6f3b6282d64344c375382204339d521973729b3326e29779

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0594d8ba4f4b2d47bd96ce2d63ff6660

SHA1
829b0b5814c65f021d71b5a00503b799bf9cfead

SHA256
f2e50a1abb859407f7e9778e4e03094ab21cd814623d074fc71e5ca5e3128936

SHA512
28318fdf572df4cf9d64eedcfd7b029c71ceb535ac405c3e1faedd4066f467221e81b3a87f2d8378f1a7d4d8732c4989cc6403cd72cd8deb05142e2895ce0ae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
988378ef4c59e25c549b842ce1d2800b

SHA1
3c4f03048ff0bafff2602c20a86f35c1f1d72a47

SHA256
35680650f8e4318cae40282d22670a65e8eb38839e7e5afe37ac8c2a9c94a993

SHA512
4534b0ec9908df890591880394094a0cad5aa8dff7a9922c6baad8e1571ae182035b12ddf6c05b411523781c44f64e50c31b5a7a4a2b3dee33d9de32baecba95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ba939eeea6db7e7c342d064fa03f5c46

SHA1
c9fa364c9a856d986782db0312b191d6f1b9b5a1

SHA256
ab9fba7af4eeb0902d000f13b53f62cdbc6b599d181e5e055e6b21e51be7eaa9

SHA512
565f1c6ad2a50c94d030f26b3d5ed2ff997b1a157e6c85edd07e83b45257a0a5458edf76a3dfe83238cee43b72ea6765e962d17addfea876491e7e6e0a810db8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
f8f1b14e3aefbd0651eda393d1237710

SHA1
e4204880a0c4ec80a8644a2ff0ec43c1c95a223a

SHA256
7780ed0c85d71a0ddf77d0212431aed68924aecfb720fd73620578eeb10289ed

SHA512
16814bb9c22d5f0ebb88bc5e3068b69a36f11abb7805d0d7646cf174392571b0633e6e03f0fe10238d52a90e458d4be5516a8ef8a4e51df956a3058b42cb9ddb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
9efed686e892f631fd6ea21ceae1501f

SHA1
bc8fd8246a3a81780bab00eb349ad5bb9dc6077f

SHA256
fe45cd5acc66bbd0d8712d2c451c4ca55a8a8f73f42a55d30dc4d5a5c2ce1b24

SHA512
14997a0ac6fbd05eee1905ae99805bd398180ed48e335626c306961db353b8feb780b257900d498e4bc89ce18e99be4c3bce2684fb0bcc6a826603a6eb68e231

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\85c89d948a.exe

Filesize
2.4MB

MD5
c513d96fc036f419e607f74248138aa5

SHA1
9ea95ca3b68937483cd23373c72a96a4265017ed

SHA256
5657e2064ec6bd2844d0c09af99a7508c0ebdacf6900ca49f047c60796b71815

SHA512
8129d8fa13e6bd9c07d9ac2ed9f9f8369faf4ab747c55921dd97cdfba8f6ebdae85e67926cf609060df2d659274107c3a66e0a7c3a2d6e4ba6c925bf338d43c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\0d6eacf2e0.exe

Filesize
2.3MB

MD5
ee233f983e752c52112978b4a4f2986b

SHA1
a6151aae92844f69b9041dd0de817b5629f29564

SHA256
49f59bcba87b8a266e49bf451eeec7fdaedcc39ab94c5b7444b6c7709cc13a0d

SHA512
c5cd24989fe491add50d8c253a495e46b5529cca5c044db345c38730d9b68b9073200412761eb15873159e2ef752f9dee1e0aefc023ce33320a072a9d4e316ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
04e82462bcf075c265b35ca3c07ada60

SHA1
b8a06a90dc68a6bd8fe248ba36ddda9caa376b02

SHA256
4f917ff958ef9afa370708922521529f0e65c55adc70957bb4a6c675de8889b7

SHA512
5c4c7d00e3e80b68693b930f08531e25701f3befd1cc2287bd474edc5807cafc7ac9db6ad628f96356767edd896b329513deb1bca6c540e0c4729fb5225d1de6

Download Submit
memory/236-166-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/236-167-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/1548-0-0x0000000000F30000-0x0000000001402000-memory.dmp

Filesize
4.8MB

Download
memory/1548-17-0x0000000000F30000-0x0000000001402000-memory.dmp

Filesize
4.8MB

Download
memory/1548-5-0x0000000000F30000-0x0000000001402000-memory.dmp

Filesize
4.8MB

Download
memory/1548-3-0x0000000000F30000-0x0000000001402000-memory.dmp

Filesize
4.8MB

Download
memory/1548-2-0x0000000000F31000-0x0000000000F5F000-memory.dmp

Filesize
184KB

Download
memory/1548-1-0x0000000077E96000-0x0000000077E98000-memory.dmp

Filesize
8KB

Download
memory/4324-190-0x0000000000E20000-0x0000000001440000-memory.dmp

Filesize
6.1MB

Download
memory/4324-155-0x0000000000E20000-0x0000000001440000-memory.dmp

Filesize
6.1MB

Download
memory/4324-115-0x0000000000E20000-0x0000000001440000-memory.dmp

Filesize
6.1MB

Download
memory/4324-220-0x0000000000E20000-0x0000000001440000-memory.dmp

Filesize
6.1MB

Download
memory/4324-209-0x0000000000E20000-0x0000000001440000-memory.dmp

Filesize
6.1MB

Download
memory/4324-201-0x0000000000E20000-0x0000000001440000-memory.dmp

Filesize
6.1MB

Download
memory/4324-199-0x0000000000E20000-0x0000000001440000-memory.dmp

Filesize
6.1MB

Download
memory/4324-143-0x0000000000E20000-0x0000000001440000-memory.dmp

Filesize
6.1MB

Download
memory/4324-194-0x0000000000E20000-0x0000000001440000-memory.dmp

Filesize
6.1MB

Download
memory/4324-192-0x0000000000E20000-0x0000000001440000-memory.dmp

Filesize
6.1MB

Download
memory/4324-174-0x0000000000E20000-0x0000000001440000-memory.dmp

Filesize
6.1MB

Download
memory/4324-171-0x0000000000E20000-0x0000000001440000-memory.dmp

Filesize
6.1MB

Download
memory/4324-169-0x0000000000E20000-0x0000000001440000-memory.dmp

Filesize
6.1MB

Download
memory/4324-153-0x0000000000E20000-0x0000000001440000-memory.dmp

Filesize
6.1MB

Download
memory/4324-42-0x0000000000E20000-0x0000000001440000-memory.dmp

Filesize
6.1MB

Download
memory/4384-196-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-107-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-21-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-168-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-114-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-170-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-219-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-173-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-150-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-20-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-189-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-19-0x0000000000281000-0x00000000002AF000-memory.dmp

Filesize
184KB

Download
memory/4384-191-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-18-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-193-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-132-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-208-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-133-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-200-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/4384-154-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/5052-198-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/5052-197-0x0000000000280000-0x0000000000752000-memory.dmp

Filesize
4.8MB

Download
memory/5056-116-0x0000000000980000-0x0000000000EE4000-memory.dmp

Filesize
5.4MB

Download
memory/5056-144-0x0000000000980000-0x0000000000EE4000-memory.dmp

Filesize
5.4MB

Download
memory/5056-60-0x0000000000980000-0x0000000000EE4000-memory.dmp

Filesize
5.4MB

Download
memory/5056-151-0x0000000000980000-0x0000000000EE4000-memory.dmp

Filesize
5.4MB

Download
memory/5056-152-0x0000000000980000-0x0000000000EE4000-memory.dmp

Filesize
5.4MB

Download