amadey | b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
24-06-2024 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe
Size

1.8MB
MD5

7ade5c92fd89c372bd91584275c30894
SHA1

20fb933cf095d821190c488962e16318fc484917
SHA256

b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491
SHA512

1c9c90ff3febf6de92db54474f799f30c8ec9f97e2e4a5ac4bc6dd8977f7aa9c879442d9171d70754a5653702a00f9fb8bebe09f61462dd4642f993f05caf1c0
SSDEEP

49152:p2n93XqtLQh/PcGIOooAs0TjLQbHU2uZG:cnlXFBkGGoA7YHJb

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ddc91ec69f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	66ee6cc528.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	66ee6cc528.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ddc91ec69f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	66ee6cc528.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ddc91ec69f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Executes dropped EXE 5 IoCs

pid	Process
4580	explortu.exe
2780	ddc91ec69f.exe
2244	66ee6cc528.exe
1044	explortu.exe
4948	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	ddc91ec69f.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	66ee6cc528.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\ddc91ec69f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\ddc91ec69f.exe"	explortu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2244-114-0x00000000005F0000-0x0000000000B4A000-memory.dmp	autoit_exe
behavioral2/memory/2244-143-0x00000000005F0000-0x0000000000B4A000-memory.dmp	autoit_exe
behavioral2/memory/2244-151-0x00000000005F0000-0x0000000000B4A000-memory.dmp	autoit_exe
behavioral2/memory/2244-152-0x00000000005F0000-0x0000000000B4A000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
456	b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe
4580	explortu.exe
2780	ddc91ec69f.exe
2244	66ee6cc528.exe
1044	explortu.exe
4948	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637106295036130"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
456	b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe
456	b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe
4580	explortu.exe
4580	explortu.exe
2780	ddc91ec69f.exe
2780	ddc91ec69f.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2172	chrome.exe
2172	chrome.exe
1044	explortu.exe
1044	explortu.exe
4948	explortu.exe
4948	explortu.exe
4988	chrome.exe
4988	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2244	66ee6cc528.exe
2172	chrome.exe
2244	66ee6cc528.exe
2172	chrome.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe
2244	66ee6cc528.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 4580	456	b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe	77
PID 456 wrote to memory of 4580	456	b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe	77
PID 456 wrote to memory of 4580	456	b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe	77
PID 4580 wrote to memory of 3860	4580	explortu.exe	78
PID 4580 wrote to memory of 3860	4580	explortu.exe	78
PID 4580 wrote to memory of 3860	4580	explortu.exe	78
PID 4580 wrote to memory of 2780	4580	explortu.exe	79
PID 4580 wrote to memory of 2780	4580	explortu.exe	79
PID 4580 wrote to memory of 2780	4580	explortu.exe	79
PID 4580 wrote to memory of 2244	4580	explortu.exe	80
PID 4580 wrote to memory of 2244	4580	explortu.exe	80
PID 4580 wrote to memory of 2244	4580	explortu.exe	80
PID 2244 wrote to memory of 2172	2244	66ee6cc528.exe	81
PID 2244 wrote to memory of 2172	2244	66ee6cc528.exe	81
PID 2172 wrote to memory of 2396	2172	chrome.exe	84
PID 2172 wrote to memory of 2396	2172	chrome.exe	84
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2860	2172	chrome.exe	85
PID 2172 wrote to memory of 2520	2172	chrome.exe	86
PID 2172 wrote to memory of 2520	2172	chrome.exe	86
PID 2172 wrote to memory of 1624	2172	chrome.exe	87
PID 2172 wrote to memory of 1624	2172	chrome.exe	87
PID 2172 wrote to memory of 1624	2172	chrome.exe	87
PID 2172 wrote to memory of 1624	2172	chrome.exe	87
PID 2172 wrote to memory of 1624	2172	chrome.exe	87
PID 2172 wrote to memory of 1624	2172	chrome.exe	87
PID 2172 wrote to memory of 1624	2172	chrome.exe	87
PID 2172 wrote to memory of 1624	2172	chrome.exe	87
PID 2172 wrote to memory of 1624	2172	chrome.exe	87
PID 2172 wrote to memory of 1624	2172	chrome.exe	87
PID 2172 wrote to memory of 1624	2172	chrome.exe	87
PID 2172 wrote to memory of 1624	2172	chrome.exe	87
PID 2172 wrote to memory of 1624	2172	chrome.exe	87
PID 2172 wrote to memory of 1624	2172	chrome.exe	87
PID 2172 wrote to memory of 1624	2172	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe
"C:\Users\Admin\AppData\Local\Temp\b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:456
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:3860
- - C:\Users\Admin\AppData\Local\Temp\1000016001\ddc91ec69f.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\ddc91ec69f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\1000017001\66ee6cc528.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\66ee6cc528.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa47e6ab58,0x7ffa47e6ab68,0x7ffa47e6ab78
        5⤵
        
        PID:2396
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1812,i,2340478987392849602,10577059237317723281,131072 /prefetch:2
        5⤵
        
        PID:2860
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1812,i,2340478987392849602,10577059237317723281,131072 /prefetch:8
        5⤵
        
        PID:2520
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1812,i,2340478987392849602,10577059237317723281,131072 /prefetch:8
        5⤵
        
        PID:1624
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1812,i,2340478987392849602,10577059237317723281,131072 /prefetch:1
        5⤵
        
        PID:1352
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1812,i,2340478987392849602,10577059237317723281,131072 /prefetch:1
        5⤵
        
        PID:248
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4152 --field-trial-handle=1812,i,2340478987392849602,10577059237317723281,131072 /prefetch:1
        5⤵
        
        PID:1444
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3132 --field-trial-handle=1812,i,2340478987392849602,10577059237317723281,131072 /prefetch:8
        5⤵
        
        PID:716
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3984 --field-trial-handle=1812,i,2340478987392849602,10577059237317723281,131072 /prefetch:8
        5⤵
        
        PID:232
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1812,i,2340478987392849602,10577059237317723281,131072 /prefetch:8
        5⤵
        
        PID:2636
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2700 --field-trial-handle=1812,i,2340478987392849602,10577059237317723281,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4988

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1044

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
d047ba6f70421afa2a83d4df0ca950e7

SHA1
80b8407a84c8cc18fe1e312ff3c0a7fcd6844f8a

SHA256
14e7968fc4745af6374097d27ba5e60c48b9d0629bc81ac8679267196e804269

SHA512
cfce6b5e9dc292187357db16a0eb50dbd1e944fd432ce1b39edca1108ce6a168a8875609211c9dabe65216bb602598310728e28b7fe34bdf06e7f1796e207ffe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
84e3f176b6cd17837a0d0256788fa895

SHA1
0f41c665f2f50151f79c8a7b7f63ed6d5a25846c

SHA256
f5b4a3474f5e66d425dea0a45e7d0b632a17fa7a619be6f12d2c0d8fe6537cf8

SHA512
cd1f632850736a396192416ad8d10d39c98c5855ef3b6b3f51f3e2c7a66e1db8c2ae9d6b8b03d6afba4e6e4ba2acaac58912eabfd1fd88eac2c242a9b954655b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
78e4d12bd863f6282c9a14205a5db004

SHA1
cd44f04263944ceb0aa8d4804a60561c53a2204a

SHA256
5959fcc62d291790eca10c71bae88480569db6da81b2f65d578db00d3d18aa10

SHA512
d6cd625c50853bfc4131d3861b99c1458bf8858634001a7f8f8b05c907bb6da273d5c3e4f99958044384bc6a8c896b807fd12ccacea7346ce9edd5e2cc7ed7d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
1d57ee547b62561913c140f01d1d3acd

SHA1
80f5243dec2ff4f9a4bbf541b1e74beefcae415c

SHA256
8e94d6ed7ac5376a272d795667daf36814181be46f039f48efa431066a53bb29

SHA512
4ce104343a71fa9c78d2e9a79a9df93b7dec730889e84f277f88828b050b966b244880cf7dc9705645cf86b8ce60abbc9dfb1ecd1f2160130b5b5e0ce7c2d85a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e4960eb19b660426ca27542f423ca319

SHA1
7876a61109c63851f580175939aa3b67e2db5eaa

SHA256
159677ea5b410ece3aa89c50b1705ea358fd5daea9fd877aa4f414e67f8c8d5a

SHA512
add70a106db845f59d138888458d6a1f6e8b87716ca6827ebcba2ddf8bc67f05e74f9f9afa9f0c99ae3d46154b5d8b073dcec5dd7c7d39a23862432f08aa94c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
5e972339712040ac8df1e5e962ef9c37

SHA1
f4c74a88fa4fc486b50551a66842dee412275491

SHA256
6939720db177251d65f402b544ee03e53f2e62ac4ee6fd70cb1c0e2fa83dec90

SHA512
eed4607c9c805211cb67789b25a47ff3b0b7f281cf93a046eba0765bf1682f7bb8f69d90780a6bc1974d2e867653799f517b47c37c7539bb9d4c8f71190d2c37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
280KB

MD5
71c22d9d403e1819837123d082ebe93c

SHA1
9e2032dcda98e447f46ba0bcac8b06bc341f2bb8

SHA256
146542141b0658fd14b5600cee527c69824c2693fc0936488a6db9a0237b3666

SHA512
8cf584993969124d387a7f8598f224331e1e3fa3ab0da073d0d3baa2e1428e995fcb25f6dfa25262baff93eb5b691b067c19c75569d8820037df964d360bc807

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\ddc91ec69f.exe

Filesize
2.3MB

MD5
64468eae17c3452d9b97ead97cb91e1c

SHA1
9fc64c304486d27b628801a2fabace7d35e5179b

SHA256
531685613d125dd26a39d130b68462cff67e918bbd3e5a3db99b39ef5239818d

SHA512
f0a0009d1b9117d4fa49d7cbb45e525fb6a971672bcd33a3f6bc25f7fafecbdb2a66233ac7dfec413c7f57b4c67c1a7dabc0719b33de220e6ab241ec501e2af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\66ee6cc528.exe

Filesize
2.3MB

MD5
055ea0c584ab2311b5d10f3a746413ec

SHA1
d4ae0286f19af5bc60673a966e57f98d2e27c51c

SHA256
1a62b69d206393f20a690db53214a951c1ce24083103f9325f11181f8c3fa6f1

SHA512
197c74df6aa2af102b95771c04aad47c6cc30a8f8d465dcc7889afd118d8343deec5e56eeba15767e317242f336f4ee82ce3ad0be8e4dcdf3987d64bf9221900

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
7ade5c92fd89c372bd91584275c30894

SHA1
20fb933cf095d821190c488962e16318fc484917

SHA256
b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491

SHA512
1c9c90ff3febf6de92db54474f799f30c8ec9f97e2e4a5ac4bc6dd8977f7aa9c879442d9171d70754a5653702a00f9fb8bebe09f61462dd4642f993f05caf1c0

Download Submit
memory/456-0-0x0000000000290000-0x0000000000744000-memory.dmp

Filesize
4.7MB

Download
memory/456-17-0x0000000000290000-0x0000000000744000-memory.dmp

Filesize
4.7MB

Download
memory/456-5-0x0000000000290000-0x0000000000744000-memory.dmp

Filesize
4.7MB

Download
memory/456-3-0x0000000000290000-0x0000000000744000-memory.dmp

Filesize
4.7MB

Download
memory/456-2-0x0000000000291000-0x00000000002BF000-memory.dmp

Filesize
184KB

Download
memory/456-1-0x0000000077736000-0x0000000077738000-memory.dmp

Filesize
8KB

Download
memory/1044-156-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/1044-157-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/2244-143-0x00000000005F0000-0x0000000000B4A000-memory.dmp

Filesize
5.4MB

Download
memory/2244-60-0x00000000005F0000-0x0000000000B4A000-memory.dmp

Filesize
5.4MB

Download
memory/2244-152-0x00000000005F0000-0x0000000000B4A000-memory.dmp

Filesize
5.4MB

Download
memory/2244-151-0x00000000005F0000-0x0000000000B4A000-memory.dmp

Filesize
5.4MB

Download
memory/2244-114-0x00000000005F0000-0x0000000000B4A000-memory.dmp

Filesize
5.4MB

Download
memory/2780-197-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-219-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-142-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-144-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-201-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-42-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-208-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-199-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-113-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-153-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-192-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-190-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-174-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-158-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-171-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-169-0x00000000001F0000-0x00000000007D8000-memory.dmp

Filesize
5.9MB

Download
memory/4580-170-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-140-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-173-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-20-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-19-0x0000000000C41000-0x0000000000C6F000-memory.dmp

Filesize
184KB

Download
memory/4580-189-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-21-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-191-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-154-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-193-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-132-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-218-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-150-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-198-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-141-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-200-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-168-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-207-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-112-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4580-18-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4948-196-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download
memory/4948-195-0x0000000000C40000-0x00000000010F4000-memory.dmp

Filesize
4.7MB

Download