amadey | 9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9

Analysis

max time kernel
149s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
24-06-2024 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe
Size

1.8MB
MD5

69138b3117d495b2d3b97f35decb70ec
SHA1

e9a1b39e9f303fe2fda9da6638a05b714f5c97c8
SHA256

9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9
SHA512

1c8c4c24ff4e7e526367f31bbfc781c0325f864a8640432f131a56e351a16c28ab7f383d95d6b3939eea5f4cc177484c3a7ba8dfe01962fe191b5c68db14216e
SSDEEP

49152:AKtQNbj6jZ0K5ggUqcirkNbl7s+eDEOpawrQ:AkRUqcirkN57epawrQ

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4d59d3b836.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1319b8573b.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1319b8573b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4d59d3b836.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1319b8573b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4d59d3b836.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe

Executes dropped EXE 5 IoCs

pid	Process
3000	explortu.exe
1888	1319b8573b.exe
4284	4d59d3b836.exe
2324	explortu.exe
3100	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	1319b8573b.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	4d59d3b836.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\1319b8573b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\1319b8573b.exe"	explortu.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4284-114-0x00000000004F0000-0x0000000000A4A000-memory.dmp	autoit_exe
behavioral2/memory/4284-144-0x00000000004F0000-0x0000000000A4A000-memory.dmp	autoit_exe
behavioral2/memory/4284-150-0x00000000004F0000-0x0000000000A4A000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4656	9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe
3000	explortu.exe
1888	1319b8573b.exe
4284	4d59d3b836.exe
2324	explortu.exe
3100	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637022953446986"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4656	9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe
4656	9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe
3000	explortu.exe
3000	explortu.exe
1888	1319b8573b.exe
1888	1319b8573b.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
2488	chrome.exe
2488	chrome.exe
2324	explortu.exe
2324	explortu.exe
3100	explortu.exe
3100	explortu.exe
928	chrome.exe
928	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4284	4d59d3b836.exe
4284	4d59d3b836.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
4284	4d59d3b836.exe
2488	chrome.exe
4284	4d59d3b836.exe
2488	chrome.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4284	4d59d3b836.exe
4284	4d59d3b836.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe
4284	4d59d3b836.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3000	4656	9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe	80
PID 4656 wrote to memory of 3000	4656	9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe	80
PID 4656 wrote to memory of 3000	4656	9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe	80
PID 3000 wrote to memory of 1440	3000	explortu.exe	81
PID 3000 wrote to memory of 1440	3000	explortu.exe	81
PID 3000 wrote to memory of 1440	3000	explortu.exe	81
PID 3000 wrote to memory of 1888	3000	explortu.exe	82
PID 3000 wrote to memory of 1888	3000	explortu.exe	82
PID 3000 wrote to memory of 1888	3000	explortu.exe	82
PID 3000 wrote to memory of 4284	3000	explortu.exe	83
PID 3000 wrote to memory of 4284	3000	explortu.exe	83
PID 3000 wrote to memory of 4284	3000	explortu.exe	83
PID 4284 wrote to memory of 2488	4284	4d59d3b836.exe	84
PID 4284 wrote to memory of 2488	4284	4d59d3b836.exe	84
PID 2488 wrote to memory of 4300	2488	chrome.exe	87
PID 2488 wrote to memory of 4300	2488	chrome.exe	87
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 4452	2488	chrome.exe	88
PID 2488 wrote to memory of 1072	2488	chrome.exe	89
PID 2488 wrote to memory of 1072	2488	chrome.exe	89
PID 2488 wrote to memory of 3324	2488	chrome.exe	90
PID 2488 wrote to memory of 3324	2488	chrome.exe	90
PID 2488 wrote to memory of 3324	2488	chrome.exe	90
PID 2488 wrote to memory of 3324	2488	chrome.exe	90
PID 2488 wrote to memory of 3324	2488	chrome.exe	90
PID 2488 wrote to memory of 3324	2488	chrome.exe	90
PID 2488 wrote to memory of 3324	2488	chrome.exe	90
PID 2488 wrote to memory of 3324	2488	chrome.exe	90
PID 2488 wrote to memory of 3324	2488	chrome.exe	90
PID 2488 wrote to memory of 3324	2488	chrome.exe	90
PID 2488 wrote to memory of 3324	2488	chrome.exe	90
PID 2488 wrote to memory of 3324	2488	chrome.exe	90
PID 2488 wrote to memory of 3324	2488	chrome.exe	90
PID 2488 wrote to memory of 3324	2488	chrome.exe	90
PID 2488 wrote to memory of 3324	2488	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe
"C:\Users\Admin\AppData\Local\Temp\9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:1440
- - C:\Users\Admin\AppData\Local\Temp\1000016001\1319b8573b.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\1319b8573b.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1888
- - C:\Users\Admin\AppData\Local\Temp\1000017001\4d59d3b836.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\4d59d3b836.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff91a39ab58,0x7ff91a39ab68,0x7ff91a39ab78
        5⤵
        
        PID:4300
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1848,i,5619953149176192017,3479094181725351136,131072 /prefetch:2
        5⤵
        
        PID:4452
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1848,i,5619953149176192017,3479094181725351136,131072 /prefetch:8
        5⤵
        
        PID:1072
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2132 --field-trial-handle=1848,i,5619953149176192017,3479094181725351136,131072 /prefetch:8
        5⤵
        
        PID:3324
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1848,i,5619953149176192017,3479094181725351136,131072 /prefetch:1
        5⤵
        
        PID:2060
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3196 --field-trial-handle=1848,i,5619953149176192017,3479094181725351136,131072 /prefetch:1
        5⤵
        
        PID:2956
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4208 --field-trial-handle=1848,i,5619953149176192017,3479094181725351136,131072 /prefetch:1
        5⤵
        
        PID:2428
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 --field-trial-handle=1848,i,5619953149176192017,3479094181725351136,131072 /prefetch:8
        5⤵
        
        PID:3056
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1848,i,5619953149176192017,3479094181725351136,131072 /prefetch:8
        5⤵
        
        PID:3264
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1848,i,5619953149176192017,3479094181725351136,131072 /prefetch:8
        5⤵
        
        PID:4152
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1504 --field-trial-handle=1848,i,5619953149176192017,3479094181725351136,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:928

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2324

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
cb54554c5fe5c5b162b40603f53c1f23

SHA1
9d6b7d6502573f76dacb1506e5a459fa5d752790

SHA256
3eb998d1003c98dfcb7dc037f1831627dbc16b689df583c57b5123151f0e0d69

SHA512
7eb5e3499ee2bc82eef862acbb7e1715c025c266a908d150cb6a0cdd5de5030469742eae57f1697c82d61588a21e18ee8c519555e9721a3566a610c67238d9f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8ca61318-27a9-48ed-8c66-941086c16f7e.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ac8ad91c70d2a1033e6a5726b4585bf8

SHA1
d661b75a1da53ac23adebf61f34bb05b8225df08

SHA256
d2356504f81fcdde7e7ad9ac95b9bca9a536da0413e0948bc5e7709efe992e02

SHA512
a34635bd3cb772bb7eacf47f85df729e56916ab856648f1c80c9c4a25c96df1895ea74e3a5122b33c07cb9a4c21e4a5a5ee21d6292f4cbbc90e4727117c868c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
888c6ec06939922617a51f9c7dbf0266

SHA1
fac53def55f1ce6d2cafa22c14ce1b588a20795f

SHA256
a01096b50e94f49f07cf3d3ab4f7be38ee78a1a0527b41c8835d1696581e6f61

SHA512
063d59029c2f110ca9e2f45843fbf0785af846705ff67791a21f851724f3f74126a318b3bb8c67c2aae8577e344a3d4b976f174e1197ce738dfe9c6416701159

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
e0a5ec89755592d9d8da651042fe9542

SHA1
81f599a7d281fc26ffe9a3c805b41bd3de58a02c

SHA256
e5b82831b6c3b13e6662cbd1c441928de8e737fb30c0a7f9f113ad207a131dfc

SHA512
cf82a052ea458bb083da664f221a1877e16ec0a6823f06341460762f1e9adb54cd92f277839744632ff1a5bd939a89fa33202cfb5c4f6d8d9f7d962d4a338449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
526abc94e960d6d8f400e3911dfcb189

SHA1
11fdd91d1ca99b0a16af448096e59c3c7cb0d932

SHA256
15a2020f426289ef16dc45b5d00572071260b74ccf7d26f2a30832f7e4d7cbcd

SHA512
b11afd4b42d2d844d29703628db92f63dc9479868d307f29790ca66dd10cc70256031de94645d6a78180e0541c01dcd6c958fcd3037280bbca900a9af2b12816

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
17fbfa6625d6e8defb40d685a8431be9

SHA1
37b975b9c67368c8f13792dbf82cd98dc55d9067

SHA256
d291583af744f58b72775af1532d338e6193fe82fa01cfc9b75bc2aad8c92b0d

SHA512
a14ba661a48868f2e98960fa5d0643ceccde274c463cd87d6857fd0dd58459fa560be7fb2d110ad44193dadf96640b2d2fd0f685d9e8b7a0eefdcbb5ddc85395

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
280KB

MD5
1412a6e4a5388aa90fb297c6e8bc755d

SHA1
9c77f0fa2db94413137d82a775531fc3b1461708

SHA256
5375d43a922e31d9a7d35ccbb79ca8d722d7ff33d412c6789045289a5dccea4e

SHA512
7f7e2e9e449a00830259b94000d6722096935ebebd43520b3183ed2dfe7a4d09ae1e477fcf11ac5c67d4273db44651d6eaa7fc65152b906aab8a5b4c70020191

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\1319b8573b.exe

Filesize
2.3MB

MD5
77fb57b1c35671a0986d7e8e1d5a51eb

SHA1
0b9af09349f8dbf16c668ab55359975495503c39

SHA256
0243fe8ce7517ff691de5073c7b7b3be9ceaa92efdf2e54077cdd611a5786e3c

SHA512
e0791ffe0a80069830dd4aa0db22d112b1d43a0cbe6da6edd0e3039c953f40d74f9476a2f87d6f05c06fc04524bd4cfe9acfef6e89e81834d3f17ee2595d9007

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\4d59d3b836.exe

Filesize
2.3MB

MD5
953b8938c04ee98cff07c2166018f1f2

SHA1
5a46c65bafd3562c7941fe6a40c4e1916213fafc

SHA256
1d63459cd2ad475f96f1c768c93b3781a3cfefa9a766c7c4d1dde3afc560d080

SHA512
d0801d00c8caa9138d210623cb62c350760132977f74d2440a46215bcf2c61d297dd7a312378f29c201d08bd14cbcdd34ba99359ed0656796068b60f74fb4fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
69138b3117d495b2d3b97f35decb70ec

SHA1
e9a1b39e9f303fe2fda9da6638a05b714f5c97c8

SHA256
9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9

SHA512
1c8c4c24ff4e7e526367f31bbfc781c0325f864a8640432f131a56e351a16c28ab7f383d95d6b3939eea5f4cc177484c3a7ba8dfe01962fe191b5c68db14216e

Download Submit
memory/1888-196-0x0000000000290000-0x0000000000889000-memory.dmp

Filesize
6.0MB

Download
memory/1888-198-0x0000000000290000-0x0000000000889000-memory.dmp

Filesize
6.0MB

Download
memory/1888-172-0x0000000000290000-0x0000000000889000-memory.dmp

Filesize
6.0MB

Download
memory/1888-188-0x0000000000290000-0x0000000000889000-memory.dmp

Filesize
6.0MB

Download
memory/1888-190-0x0000000000290000-0x0000000000889000-memory.dmp

Filesize
6.0MB

Download
memory/1888-169-0x0000000000290000-0x0000000000889000-memory.dmp

Filesize
6.0MB

Download
memory/1888-113-0x0000000000290000-0x0000000000889000-memory.dmp

Filesize
6.0MB

Download
memory/1888-167-0x0000000000290000-0x0000000000889000-memory.dmp

Filesize
6.0MB

Download
memory/1888-156-0x0000000000290000-0x0000000000889000-memory.dmp

Filesize
6.0MB

Download
memory/1888-42-0x0000000000290000-0x0000000000889000-memory.dmp

Filesize
6.0MB

Download
memory/1888-200-0x0000000000290000-0x0000000000889000-memory.dmp

Filesize
6.0MB

Download
memory/1888-207-0x0000000000290000-0x0000000000889000-memory.dmp

Filesize
6.0MB

Download
memory/1888-151-0x0000000000290000-0x0000000000889000-memory.dmp

Filesize
6.0MB

Download
memory/1888-142-0x0000000000290000-0x0000000000889000-memory.dmp

Filesize
6.0MB

Download
memory/1888-218-0x0000000000290000-0x0000000000889000-memory.dmp

Filesize
6.0MB

Download
memory/2324-153-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/2324-154-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-187-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-18-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-208-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-143-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-132-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-131-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-155-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-115-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-166-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-206-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-168-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-107-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-170-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-199-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-21-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-197-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-20-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-189-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3000-19-0x0000000000091000-0x00000000000BF000-memory.dmp

Filesize
184KB

Download
memory/3000-192-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3100-193-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/3100-195-0x0000000000090000-0x0000000000549000-memory.dmp

Filesize
4.7MB

Download
memory/4284-144-0x00000000004F0000-0x0000000000A4A000-memory.dmp

Filesize
5.4MB

Download
memory/4284-60-0x00000000004F0000-0x0000000000A4A000-memory.dmp

Filesize
5.4MB

Download
memory/4284-114-0x00000000004F0000-0x0000000000A4A000-memory.dmp

Filesize
5.4MB

Download
memory/4284-150-0x00000000004F0000-0x0000000000A4A000-memory.dmp

Filesize
5.4MB

Download
memory/4656-0-0x0000000000960000-0x0000000000E19000-memory.dmp

Filesize
4.7MB

Download
memory/4656-17-0x0000000000960000-0x0000000000E19000-memory.dmp

Filesize
4.7MB

Download
memory/4656-5-0x0000000000960000-0x0000000000E19000-memory.dmp

Filesize
4.7MB

Download
memory/4656-3-0x0000000000960000-0x0000000000E19000-memory.dmp

Filesize
4.7MB

Download
memory/4656-2-0x0000000000961000-0x000000000098F000-memory.dmp

Filesize
184KB

Download
memory/4656-1-0x0000000077CC6000-0x0000000077CC8000-memory.dmp

Filesize
8KB

Download