amadey | 06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
24-06-2024 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe
Size

1.8MB
MD5

6f54435ac42e18c797942e79bc77080c
SHA1

0e9fd3af85cd3ab3fa9b772d72c854ebd9ef77f9
SHA256

06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc
SHA512

545164d0b4d3ac4039b832101f25d42d10c0ac4cb6493eaa0d1230acbb08c80e3970d28c7054c6f227e1a05a31793b315941fe263d2638798c727df5e23a5f3a
SSDEEP

24576:Tdj0ht8vXenMUwpUkQP4ztFvSlkP4Utm14mAfs0tARnJLgJicNR/bYmqIewCokPW:B0rMHpUr4ztBAkt1RvsAbvew3

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d18156adf6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c4744597a5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c4744597a5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c4744597a5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d18156adf6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d18156adf6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe

Executes dropped EXE 6 IoCs

pid	Process
5100	explortu.exe
4220	d18156adf6.exe
2372	c4744597a5.exe
1868	explortu.exe
1072	explortu.exe
2792	explortu.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	d18156adf6.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	c4744597a5.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Run\d18156adf6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\d18156adf6.exe"	explortu.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2372-129-0x00000000008B0000-0x0000000000E20000-memory.dmp	autoit_exe
behavioral2/memory/2372-149-0x00000000008B0000-0x0000000000E20000-memory.dmp	autoit_exe
behavioral2/memory/2372-156-0x00000000008B0000-0x0000000000E20000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
3176	06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe
5100	explortu.exe
4220	d18156adf6.exe
2372	c4744597a5.exe
1868	explortu.exe
1072	explortu.exe
2792	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636928416313610"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3176	06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe
3176	06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe
5100	explortu.exe
5100	explortu.exe
4220	d18156adf6.exe
4220	d18156adf6.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
3040	chrome.exe
3040	chrome.exe
1868	explortu.exe
1868	explortu.exe
1072	explortu.exe
1072	explortu.exe
4092	chrome.exe
4092	chrome.exe
2792	explortu.exe
2792	explortu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeCreatePagefilePrivilege	3040	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3176	06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
3040	chrome.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe
2372	c4744597a5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 5100	3176	06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe	81
PID 3176 wrote to memory of 5100	3176	06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe	81
PID 3176 wrote to memory of 5100	3176	06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe	81
PID 5100 wrote to memory of 1836	5100	explortu.exe	82
PID 5100 wrote to memory of 1836	5100	explortu.exe	82
PID 5100 wrote to memory of 1836	5100	explortu.exe	82
PID 5100 wrote to memory of 4220	5100	explortu.exe	83
PID 5100 wrote to memory of 4220	5100	explortu.exe	83
PID 5100 wrote to memory of 4220	5100	explortu.exe	83
PID 5100 wrote to memory of 2372	5100	explortu.exe	84
PID 5100 wrote to memory of 2372	5100	explortu.exe	84
PID 5100 wrote to memory of 2372	5100	explortu.exe	84
PID 2372 wrote to memory of 3040	2372	c4744597a5.exe	85
PID 2372 wrote to memory of 3040	2372	c4744597a5.exe	85
PID 3040 wrote to memory of 1992	3040	chrome.exe	88
PID 3040 wrote to memory of 1992	3040	chrome.exe	88
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 4812	3040	chrome.exe	89
PID 3040 wrote to memory of 3596	3040	chrome.exe	90
PID 3040 wrote to memory of 3596	3040	chrome.exe	90
PID 3040 wrote to memory of 4088	3040	chrome.exe	91
PID 3040 wrote to memory of 4088	3040	chrome.exe	91
PID 3040 wrote to memory of 4088	3040	chrome.exe	91
PID 3040 wrote to memory of 4088	3040	chrome.exe	91
PID 3040 wrote to memory of 4088	3040	chrome.exe	91
PID 3040 wrote to memory of 4088	3040	chrome.exe	91
PID 3040 wrote to memory of 4088	3040	chrome.exe	91
PID 3040 wrote to memory of 4088	3040	chrome.exe	91
PID 3040 wrote to memory of 4088	3040	chrome.exe	91
PID 3040 wrote to memory of 4088	3040	chrome.exe	91
PID 3040 wrote to memory of 4088	3040	chrome.exe	91
PID 3040 wrote to memory of 4088	3040	chrome.exe	91
PID 3040 wrote to memory of 4088	3040	chrome.exe	91
PID 3040 wrote to memory of 4088	3040	chrome.exe	91
PID 3040 wrote to memory of 4088	3040	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe
"C:\Users\Admin\AppData\Local\Temp\06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\1000016001\d18156adf6.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\d18156adf6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4220
- - C:\Users\Admin\AppData\Local\Temp\1000017001\c4744597a5.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\c4744597a5.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee2c5ab58,0x7ffee2c5ab68,0x7ffee2c5ab78
        5⤵
        
        PID:1992
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1780,i,2898433369820460049,2889277806327946535,131072 /prefetch:2
        5⤵
        
        PID:4812
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1780,i,2898433369820460049,2889277806327946535,131072 /prefetch:8
        5⤵
        
        PID:3596
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1780,i,2898433369820460049,2889277806327946535,131072 /prefetch:8
        5⤵
        
        PID:4088
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1780,i,2898433369820460049,2889277806327946535,131072 /prefetch:1
        5⤵
        
        PID:3780
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1780,i,2898433369820460049,2889277806327946535,131072 /prefetch:1
        5⤵
        
        PID:3104
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4152 --field-trial-handle=1780,i,2898433369820460049,2889277806327946535,131072 /prefetch:1
        5⤵
        
        PID:1032
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=1780,i,2898433369820460049,2889277806327946535,131072 /prefetch:8
        5⤵
        
        PID:3364
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1780,i,2898433369820460049,2889277806327946535,131072 /prefetch:8
        5⤵
        
        PID:3156
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1780,i,2898433369820460049,2889277806327946535,131072 /prefetch:8
        5⤵
        
        PID:4308
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1780,i,2898433369820460049,2889277806327946535,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4092

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1868

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1072

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
3a2c4dd7096c408bddb0ce4de42bc05c

SHA1
ba44eaf2d500b5f8e813bdf23d944d470c12fa6f

SHA256
11405e51eaa2a958dbefff86c72d11d2cff239c4036e06948a36c27af92c97d1

SHA512
568e11e59c60ee93955bc1de93a3d0c74ba566cf92fdf468b02be9f99c01ab9eb521d421b5f47da2932a16efbd0fba92a62b3b0f96f4e6ff0a7e2e4fe1222a77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c15aaead17f65d0dd06b85b58ff48201

SHA1
77f4ea1d4c6f748607be873ef51a282f967809b4

SHA256
76abb2932052ef049ef8905865a21717e337279346dea1c849f1105fa72f725c

SHA512
562958aaf8b5155a74428240396263ea341f0d9f097aaef635ef6591737a34e191b5a62df91076174edab5c6562be1aec8ee284f620073985ea42298149ddd6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6ce16bf23c8c60bf91e05353382cde2b

SHA1
73cb5b067ecb43c43d691ef76cf559a641cf63ae

SHA256
3f87654a1c3b7d05c1acb8cb57d1ce742d4dfab8fef93da89adb77bed9109c73

SHA512
2492be4795206ce02672ee72898c355fda10bf08473cddbd634a85a917f02569c0a811b45d5353e3decad88521edd8377d2bcadca850666fbc5cfd78b0fbf6b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
405a45acd6b4feeeb2b58c2a9887f3c9

SHA1
89d4df57cd4cc439bc795302af791eebe56c14d9

SHA256
c8eff44db7962f868a247fd79ee6920baeef1eae9169a71cfd98d417272898a9

SHA512
fbba1d10e61a9183430ef66b43b0716f24f98507ca3c366e979393d8ca033338020584d4cfeade44430f9598c02eba3942036cdefee346fe6c291df76c5351e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
18503847d62c45ba8a2975e095f17d28

SHA1
e3bfe9c127041fc8f9fc52013e8d83c6122e2db3

SHA256
5f95e8f2369e0c3a79b86e6d525a09e10ee9af9a11cfd776e6f7506b3fae9fec

SHA512
a565f24cc88217ef2e52d80102cb8d9bbbce8375c19798ee0d784465ea5e23a045aea0dfcaed639a4b12438921ce12d01c45b5df08858103473886a87b67bc18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
981136f9c5fba3c463130bcee2f484ae

SHA1
334885690cac767cd19764a47967a0f94b98d943

SHA256
2c87f64d6b0cd1f65615c8dabf9ba39c1509f0b54c9a1536399a51f62c16cfe5

SHA512
dcacb79db823455ef1ca56c892c0f7f31c811cf314c9a4fdb9ee93fdde9337fe92be39fa24bbcb3cf0893171d34ee7e5a4b5f69081bbd4cb1fda5781ceffe149

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
280KB

MD5
1ed69275490aaef0e3b23aa2d05d0317

SHA1
4b33fce88d79dfd742b535743fee655c3751fafc

SHA256
73156905a9cc81a3061aaecdbddc448d2e464a1a805b9276469a35eb34aed33a

SHA512
7d40ecf1dc7794fbb5a6dcfe1a74478d6f9e6b9cf0146c07328fdcf035c1eb2074a0eb3f61fa68307ebc45ea1e273230fce7eb689982158fdc2e78e6daedf8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\d18156adf6.exe

Filesize
2.3MB

MD5
2414198f1bfe185780b5549bf67df4e9

SHA1
04237fb0b148bf405a6f5e7681eef3cea471a2a5

SHA256
68cfcba954cefe1bae03ee109dda0386d2f897a805c2fff96b539a5443ecd6b4

SHA512
953cf8fa17235d3f7fc04646693a66774a08f365d2e7fb789c0397abc0d20ce8f1a403e276fd49d69bb1b4fe12422ef52bee316ba1f3a9cb3efaf869e3b85fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\c4744597a5.exe

Filesize
2.3MB

MD5
8b6add9f9e2e7856108ff0a42280945b

SHA1
3d3d153224fc02b0d28609c57d745b65276f9ad3

SHA256
a579ceba84d65bcda920c3d7c3c829b887a53dd9456aadde382ee0d7726481e4

SHA512
ea9154e771da8ecda02b0ac13e3b58fd3b8aeda3c90ba8d5f77239f8f0b7a1a289b0c6d0852618586f176d0289e84bea3d373dca289eacbcaa8f8a626b208c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
6f54435ac42e18c797942e79bc77080c

SHA1
0e9fd3af85cd3ab3fa9b772d72c854ebd9ef77f9

SHA256
06efa0a4a4cc6055c87de5a576f55a0b6783ff96c2f1625bfda33cb57c9a51fc

SHA512
545164d0b4d3ac4039b832101f25d42d10c0ac4cb6493eaa0d1230acbb08c80e3970d28c7054c6f227e1a05a31793b315941fe263d2638798c727df5e23a5f3a

Download Submit
memory/1072-176-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/1072-177-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/1868-116-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/1868-109-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/2372-149-0x00000000008B0000-0x0000000000E20000-memory.dmp

Filesize
5.4MB

Download
memory/2372-60-0x00000000008B0000-0x0000000000E20000-memory.dmp

Filesize
5.4MB

Download
memory/2372-129-0x00000000008B0000-0x0000000000E20000-memory.dmp

Filesize
5.4MB

Download
memory/2372-156-0x00000000008B0000-0x0000000000E20000-memory.dmp

Filesize
5.4MB

Download
memory/2792-212-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/2792-211-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/3176-18-0x0000000000C70000-0x0000000001129000-memory.dmp

Filesize
4.7MB

Download
memory/3176-1-0x00000000778A6000-0x00000000778A8000-memory.dmp

Filesize
8KB

Download
memory/3176-2-0x0000000000C71000-0x0000000000C9F000-memory.dmp

Filesize
184KB

Download
memory/3176-3-0x0000000000C70000-0x0000000001129000-memory.dmp

Filesize
4.7MB

Download
memory/3176-5-0x0000000000C70000-0x0000000001129000-memory.dmp

Filesize
4.7MB

Download
memory/3176-0-0x0000000000C70000-0x0000000001129000-memory.dmp

Filesize
4.7MB

Download
memory/4220-198-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/4220-178-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/4220-147-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/4220-148-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/4220-224-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/4220-42-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/4220-213-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/4220-118-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/4220-157-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/4220-202-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/4220-159-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/4220-200-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/4220-170-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/4220-196-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/4220-172-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/4220-194-0x00000000007A0000-0x0000000000D9A000-memory.dmp

Filesize
6.0MB

Download
memory/5100-21-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-169-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-130-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-139-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-193-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-174-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-195-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-171-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-197-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-106-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-199-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-20-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-201-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-158-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-209-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-19-0x0000000000161000-0x000000000018F000-memory.dmp

Filesize
184KB

Download
memory/5100-117-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-155-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-16-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-223-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download
memory/5100-138-0x0000000000160000-0x0000000000619000-memory.dmp

Filesize
4.7MB

Download