amadey | e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
24-06-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770.exe
Size

1.8MB
MD5

a2d097eb8d28f2d5c1b1cdbec83220f4
SHA1

3bb1449483a2c97ff759d51059be98c71d1bb6b5
SHA256

e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770
SHA512

55faec6aec40afa092cd904ae0ddd361d023a7232b37e4e0d7e5f4ffecebbb166e0d3127add2885cb1650de45d8ac2923e8521361fe7ec9c22434e3ed6f8a0d9
SSDEEP

49152:PLos/o9N1nYGWxojwYiJ+vdUz643UU7DhVxxRBmQN:Toh1nCozvdUzD3ddVPRBmQ

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6aac131985.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	789332b9cc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	789332b9cc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6aac131985.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	789332b9cc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6aac131985.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe

Executes dropped EXE 6 IoCs

pid	Process
2668	explortu.exe
2888	6aac131985.exe
3252	789332b9cc.exe
768	explortu.exe
1552	explortu.exe
1944	explortu.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	6aac131985.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	789332b9cc.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\6aac131985.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\6aac131985.exe"	explortu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3252-125-0x0000000000160000-0x00000000006A9000-memory.dmp	autoit_exe
behavioral2/memory/3252-154-0x0000000000160000-0x00000000006A9000-memory.dmp	autoit_exe
behavioral2/memory/3252-161-0x0000000000160000-0x00000000006A9000-memory.dmp	autoit_exe
behavioral2/memory/3252-162-0x0000000000160000-0x00000000006A9000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
3116	e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770.exe
2668	explortu.exe
2888	6aac131985.exe
3252	789332b9cc.exe
768	explortu.exe
1552	explortu.exe
1944	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636644633078799"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3116	e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770.exe
3116	e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770.exe
2668	explortu.exe
2668	explortu.exe
2888	6aac131985.exe
2888	6aac131985.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
1548	chrome.exe
1548	chrome.exe
768	explortu.exe
768	explortu.exe
1552	explortu.exe
1552	explortu.exe
3880	chrome.exe
3880	chrome.exe
1944	explortu.exe
1944	explortu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe
Token: SeShutdownPrivilege	1548	chrome.exe
Token: SeCreatePagefilePrivilege	1548	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
3252	789332b9cc.exe
1548	chrome.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
1548	chrome.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe
3252	789332b9cc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 2668	3116	e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770.exe	81
PID 3116 wrote to memory of 2668	3116	e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770.exe	81
PID 3116 wrote to memory of 2668	3116	e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770.exe	81
PID 2668 wrote to memory of 1572	2668	explortu.exe	82
PID 2668 wrote to memory of 1572	2668	explortu.exe	82
PID 2668 wrote to memory of 1572	2668	explortu.exe	82
PID 2668 wrote to memory of 2888	2668	explortu.exe	83
PID 2668 wrote to memory of 2888	2668	explortu.exe	83
PID 2668 wrote to memory of 2888	2668	explortu.exe	83
PID 2668 wrote to memory of 3252	2668	explortu.exe	84
PID 2668 wrote to memory of 3252	2668	explortu.exe	84
PID 2668 wrote to memory of 3252	2668	explortu.exe	84
PID 3252 wrote to memory of 1548	3252	789332b9cc.exe	85
PID 3252 wrote to memory of 1548	3252	789332b9cc.exe	85
PID 1548 wrote to memory of 444	1548	chrome.exe	88
PID 1548 wrote to memory of 444	1548	chrome.exe	88
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 4800	1548	chrome.exe	89
PID 1548 wrote to memory of 1560	1548	chrome.exe	90
PID 1548 wrote to memory of 1560	1548	chrome.exe	90
PID 1548 wrote to memory of 4048	1548	chrome.exe	91
PID 1548 wrote to memory of 4048	1548	chrome.exe	91
PID 1548 wrote to memory of 4048	1548	chrome.exe	91
PID 1548 wrote to memory of 4048	1548	chrome.exe	91
PID 1548 wrote to memory of 4048	1548	chrome.exe	91
PID 1548 wrote to memory of 4048	1548	chrome.exe	91
PID 1548 wrote to memory of 4048	1548	chrome.exe	91
PID 1548 wrote to memory of 4048	1548	chrome.exe	91
PID 1548 wrote to memory of 4048	1548	chrome.exe	91
PID 1548 wrote to memory of 4048	1548	chrome.exe	91
PID 1548 wrote to memory of 4048	1548	chrome.exe	91
PID 1548 wrote to memory of 4048	1548	chrome.exe	91
PID 1548 wrote to memory of 4048	1548	chrome.exe	91
PID 1548 wrote to memory of 4048	1548	chrome.exe	91
PID 1548 wrote to memory of 4048	1548	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770.exe
"C:\Users\Admin\AppData\Local\Temp\e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\1000016001\6aac131985.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\6aac131985.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2888
- - C:\Users\Admin\AppData\Local\Temp\1000017001\789332b9cc.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\789332b9cc.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff9d6c5ab58,0x7ff9d6c5ab68,0x7ff9d6c5ab78
        5⤵
        
        PID:444
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1820,i,8908351129674134032,3202950928076164524,131072 /prefetch:2
        5⤵
        
        PID:4800
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1820,i,8908351129674134032,3202950928076164524,131072 /prefetch:8
        5⤵
        
        PID:1560
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1820,i,8908351129674134032,3202950928076164524,131072 /prefetch:8
        5⤵
        
        PID:4048
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2096 --field-trial-handle=1820,i,8908351129674134032,3202950928076164524,131072 /prefetch:1
        5⤵
        
        PID:3868
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3316 --field-trial-handle=1820,i,8908351129674134032,3202950928076164524,131072 /prefetch:1
        5⤵
        
        PID:4472
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4216 --field-trial-handle=1820,i,8908351129674134032,3202950928076164524,131072 /prefetch:1
        5⤵
        
        PID:132
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1820,i,8908351129674134032,3202950928076164524,131072 /prefetch:8
        5⤵
        
        PID:2068
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3332 --field-trial-handle=1820,i,8908351129674134032,3202950928076164524,131072 /prefetch:8
        5⤵
        
        PID:4788
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1820,i,8908351129674134032,3202950928076164524,131072 /prefetch:8
        5⤵
        
        PID:2304
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2384 --field-trial-handle=1820,i,8908351129674134032,3202950928076164524,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3880

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:768

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1552

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
cd1265aeff800b034e833dbbb505ded4

SHA1
27c7bc53fc0c80f0a16fab670f93bc8af42d8774

SHA256
d3c2086dfec578c952c88c8a7012b3f4c898c68eccdbdcbbc235427d449b8d3e

SHA512
4a8c6478d80431e91a1dd1cdb4552859e1bda0dfe1e822fa106f4d6d47bdd144256f5e08ca12eaab47960e81a4d295b09d079c9ac86d62b1b2837233aaa349d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
571c82d4ffa08929795ca07d96f28947

SHA1
adb1b1cdf749e9074ccee0adcc80b7617876ce88

SHA256
5149feac261e30c85b10308f525181cdd28986b082b721142463f975fedb7f49

SHA512
f205c8a6f8c73ef685fb362dfdadd8e5df2edd2dff3d854a5f0e67e33e8122bc937ba97cd64f6c92d6eeeba0a3eff6f54926fbc97487e2c6a3210122a93858e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ffce0d533780707459c174040feaf868

SHA1
3cdd7defa263d74232bd728f09de6f50af348af2

SHA256
a1faa6c683540c76ad3c9b34dc464a145dce544f36458cc281c607e68a253b09

SHA512
eb8ef735a56d4113faf08f8dc2766975546eb87e952607abd2b69d108ab79264dd2ff087753470f3d3b130291e868f4d313c80d27a4c2a46baa1be173ceffec6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
8de54c6c9f837fca92d472c464a36773

SHA1
dc6130e41e7ab9808784c3ed3749248c730b1517

SHA256
417397171664962280f390f2fe173dee59caf6b349de12b49ea688e0d5322c87

SHA512
8bd6b8fe21c5c1d26226a069e8987fa08815e63da5c1c28212e847f36d554bc34b828eb7584039a5e299bb3eb583b385629226d16d8f7888bdc983fdc306f6f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e349e88049d1ea641aff8156e09afb55

SHA1
0a5abe1b45bbf8476aaa52fbd81b040af153c1bc

SHA256
c71a35a867f3d26782c9d7f95fad5b8605c833dcdf600d15e595b7bb8bbe2851

SHA512
fdf1116b4973c38b33c071f241519122d41988e05390dfb22b2e6e125cdd3f9ac8e7802cd019304c601fd6fd6fea5ea76940eb89100b44f0ba88d0419e40da1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
66d1648913acc3177a306252363f826d

SHA1
5cdfd01cc4dd658a33eb0dda2cdd69df819c5b8b

SHA256
741e146756693fb70ad376961c09444361e5b9c7d4943545692884ff8051240c

SHA512
194355058ba871f3e87679c1c0647587120fa1f44ec356d1fe3a849fe38aa1323b1fb210492b7a12daaaf227215a558b940f4febf1ad928dda4f3b3855d9d23e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
35343ffdeafff0381feb9bfcaf61ca3a

SHA1
5c8293a5a182fc444b2e8001400b674e1179f658

SHA256
f40d0c8a3ebc187552b0907a1f6b270d19f6dfa134422489ae7850360c2e0b7e

SHA512
f6bcc795532a2fcb3f9a9a8082a2f88e23ee298d9d2c44fbffae4ea53947613eb9240c3fc7b0b515cd7d58a14e85d02ab89685f812da7710f6f47d9e45cc363d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\6aac131985.exe

Filesize
2.3MB

MD5
21a7795d5e104aa467feff97c1101232

SHA1
1e260bed535310421776e546a93b8af866eedbb4

SHA256
7fc8460e46b1f7c4ae95d5a16a296039ef598abec1765d9e4ee9377af7ab8c65

SHA512
3976db87fffc2bad13b2f485ddd8970092a03e17d68336451bfee558b3dded2e2db91c5a47916fef9f0aaa3128f1c2801d024bd0928f10c8d4a2bd939855cc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\789332b9cc.exe

Filesize
2.2MB

MD5
783d2e1bd21598ace9f11de6a48a87a5

SHA1
ebc95ad120a60fa2008336f92c9d4176a4129e89

SHA256
e8e886949270adc21171f3da304ce0fd4374ad184af9f72dc63d1bcced3b0bbe

SHA512
4fe1e1c40337006349d3c1773c585fe5c7276638f4ee126b1b4f59f79ee9bc0fd3544b7707617d57ed6418a9606bf3e5808c2f8dd20e39bddd1ccf348509a700

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
a2d097eb8d28f2d5c1b1cdbec83220f4

SHA1
3bb1449483a2c97ff759d51059be98c71d1bb6b5

SHA256
e303d2c3cc5b64067ae5b2d5901712f4ea45dfc7cb9b077329934a936ef0b770

SHA512
55faec6aec40afa092cd904ae0ddd361d023a7232b37e4e0d7e5f4ffecebbb166e0d3127add2885cb1650de45d8ac2923e8521361fe7ec9c22434e3ed6f8a0d9

Download Submit
memory/768-116-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/768-101-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/1552-183-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/1552-182-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/1944-216-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/1944-217-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-23-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/2668-164-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-207-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-203-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-27-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-19-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2668-20-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/2668-21-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/2668-122-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-123-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-201-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-199-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-22-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/2668-205-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-24-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/2668-143-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-144-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-25-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/2668-26-0x0000000000E11000-0x0000000000E3F000-memory.dmp

Filesize
184KB

Download
memory/2668-215-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-17-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-228-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-160-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-181-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-177-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2668-175-0x0000000000E10000-0x00000000012D1000-memory.dmp

Filesize
4.8MB

Download
memory/2888-48-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-184-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-163-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-176-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-229-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-178-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-218-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-208-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-153-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-49-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-152-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-165-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-200-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-124-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-202-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-206-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/2888-204-0x0000000000CD0000-0x00000000012B7000-memory.dmp

Filesize
5.9MB

Download
memory/3116-0-0x0000000000790000-0x0000000000C51000-memory.dmp

Filesize
4.8MB

Download
memory/3116-16-0x0000000000790000-0x0000000000C51000-memory.dmp

Filesize
4.8MB

Download
memory/3116-5-0x0000000000790000-0x0000000000C51000-memory.dmp

Filesize
4.8MB

Download
memory/3116-3-0x0000000000790000-0x0000000000C51000-memory.dmp

Filesize
4.8MB

Download
memory/3116-2-0x0000000000791000-0x00000000007BF000-memory.dmp

Filesize
184KB

Download
memory/3116-1-0x00000000775F6000-0x00000000775F8000-memory.dmp

Filesize
8KB

Download
memory/3252-67-0x0000000000160000-0x00000000006A9000-memory.dmp

Filesize
5.3MB

Download
memory/3252-125-0x0000000000160000-0x00000000006A9000-memory.dmp

Filesize
5.3MB

Download
memory/3252-154-0x0000000000160000-0x00000000006A9000-memory.dmp

Filesize
5.3MB

Download
memory/3252-161-0x0000000000160000-0x00000000006A9000-memory.dmp

Filesize
5.3MB

Download
memory/3252-162-0x0000000000160000-0x00000000006A9000-memory.dmp

Filesize
5.3MB

Download