amadey | 89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
24-06-2024 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693.exe
Size

1.8MB
MD5

d5675004f66f1f0683b70e9f41118e1f
SHA1

7ca058539597fa0e7f5cdc3bfa89a556936e0fe6
SHA256

89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693
SHA512

14ec30031485b4442d6bb78d88c6727a1875bec138a009a79eace243115723381e109090e30052fb4c33f0c11988354d5316648acff74960817cb2747c8d9af6
SSDEEP

24576:h7fumCF5cQXNypB81UTZDG7nJ+o1H1X2tE0fMFgEjCQqQzYRnX8OtHhW9SR7bzl:hqF60NypqUlzo11iLMXjKRPW9SR7H

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0fec6f8941.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1c92fc55c6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0fec6f8941.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1c92fc55c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0fec6f8941.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1c92fc55c6.exe

Executes dropped EXE 5 IoCs

pid	Process
4580	explortu.exe
3332	0fec6f8941.exe
3432	1c92fc55c6.exe
4472	explortu.exe
4616	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	0fec6f8941.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	1c92fc55c6.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\0fec6f8941.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\0fec6f8941.exe"	explortu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3432-115-0x0000000000560000-0x0000000000AA9000-memory.dmp	autoit_exe
behavioral2/memory/3432-143-0x0000000000560000-0x0000000000AA9000-memory.dmp	autoit_exe
behavioral2/memory/3432-150-0x0000000000560000-0x0000000000AA9000-memory.dmp	autoit_exe
behavioral2/memory/3432-152-0x0000000000560000-0x0000000000AA9000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1664	89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693.exe
4580	explortu.exe
3332	0fec6f8941.exe
3432	1c92fc55c6.exe
4472	explortu.exe
4616	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637163241134627"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1664	89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693.exe
1664	89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693.exe
4580	explortu.exe
4580	explortu.exe
3332	0fec6f8941.exe
3332	0fec6f8941.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
5104	chrome.exe
5104	chrome.exe
4472	explortu.exe
4472	explortu.exe
4616	explortu.exe
4616	explortu.exe
4732	chrome.exe
4732	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1664	89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
5104	chrome.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe
3432	1c92fc55c6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 4580	1664	89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693.exe	77
PID 1664 wrote to memory of 4580	1664	89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693.exe	77
PID 1664 wrote to memory of 4580	1664	89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693.exe	77
PID 4580 wrote to memory of 3636	4580	explortu.exe	78
PID 4580 wrote to memory of 3636	4580	explortu.exe	78
PID 4580 wrote to memory of 3636	4580	explortu.exe	78
PID 4580 wrote to memory of 3332	4580	explortu.exe	79
PID 4580 wrote to memory of 3332	4580	explortu.exe	79
PID 4580 wrote to memory of 3332	4580	explortu.exe	79
PID 4580 wrote to memory of 3432	4580	explortu.exe	80
PID 4580 wrote to memory of 3432	4580	explortu.exe	80
PID 4580 wrote to memory of 3432	4580	explortu.exe	80
PID 3432 wrote to memory of 5104	3432	1c92fc55c6.exe	81
PID 3432 wrote to memory of 5104	3432	1c92fc55c6.exe	81
PID 5104 wrote to memory of 1992	5104	chrome.exe	84
PID 5104 wrote to memory of 1992	5104	chrome.exe	84
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 3444	5104	chrome.exe	85
PID 5104 wrote to memory of 4716	5104	chrome.exe	86
PID 5104 wrote to memory of 4716	5104	chrome.exe	86
PID 5104 wrote to memory of 4788	5104	chrome.exe	87
PID 5104 wrote to memory of 4788	5104	chrome.exe	87
PID 5104 wrote to memory of 4788	5104	chrome.exe	87
PID 5104 wrote to memory of 4788	5104	chrome.exe	87
PID 5104 wrote to memory of 4788	5104	chrome.exe	87
PID 5104 wrote to memory of 4788	5104	chrome.exe	87
PID 5104 wrote to memory of 4788	5104	chrome.exe	87
PID 5104 wrote to memory of 4788	5104	chrome.exe	87
PID 5104 wrote to memory of 4788	5104	chrome.exe	87
PID 5104 wrote to memory of 4788	5104	chrome.exe	87
PID 5104 wrote to memory of 4788	5104	chrome.exe	87
PID 5104 wrote to memory of 4788	5104	chrome.exe	87
PID 5104 wrote to memory of 4788	5104	chrome.exe	87
PID 5104 wrote to memory of 4788	5104	chrome.exe	87
PID 5104 wrote to memory of 4788	5104	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693.exe
"C:\Users\Admin\AppData\Local\Temp\89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:3636
- - C:\Users\Admin\AppData\Local\Temp\1000016001\0fec6f8941.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\0fec6f8941.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3332
- - C:\Users\Admin\AppData\Local\Temp\1000017001\1c92fc55c6.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\1c92fc55c6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa36ccab58,0x7ffa36ccab68,0x7ffa36ccab78
        5⤵
        
        PID:1992
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1792,i,10239945995744341974,16816121127419585761,131072 /prefetch:2
        5⤵
        
        PID:3444
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1792,i,10239945995744341974,16816121127419585761,131072 /prefetch:8
        5⤵
        
        PID:4716
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1792,i,10239945995744341974,16816121127419585761,131072 /prefetch:8
        5⤵
        
        PID:4788
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1792,i,10239945995744341974,16816121127419585761,131072 /prefetch:1
        5⤵
        
        PID:3492
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1792,i,10239945995744341974,16816121127419585761,131072 /prefetch:1
        5⤵
        
        PID:248
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4240 --field-trial-handle=1792,i,10239945995744341974,16816121127419585761,131072 /prefetch:1
        5⤵
        
        PID:3080
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1792,i,10239945995744341974,16816121127419585761,131072 /prefetch:8
        5⤵
        
        PID:5108
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1792,i,10239945995744341974,16816121127419585761,131072 /prefetch:8
        5⤵
        
        PID:4884
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 --field-trial-handle=1792,i,10239945995744341974,16816121127419585761,131072 /prefetch:8
        5⤵
        
        PID:1968
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 --field-trial-handle=1792,i,10239945995744341974,16816121127419585761,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4732

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4472

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
ce0d2ab5caca231813234ae19799a986

SHA1
87b62ade1fd9fd8b4581c9cc4f8302d9505f6558

SHA256
ba982e038f4be25243a5e7c91282aa1841e610366955b83af732bc4b7482584f

SHA512
e9a34d795a08b39e15bb35ec75311017c8d179af0dc6819e01619de7b56d0b7a5733d898340ca384b05f0da1c639e11dc0adb4ff7d19ea32d14d7e05c7ce0d9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4ea9d2c87f915b2fc5204f343b255c75

SHA1
0f5671ad4ab834c821a1b651b8c67cf4f7b0e182

SHA256
57731e9ade7677e7e8698d9e6c373d472b387e8186939d23b53f841d334389b4

SHA512
60624f8af5d73a5cbaebe375c5d25406864dc2637c966ba074911cabc786a4fec79a99b8ce8da30076764a7d14f0e22975026918b71eafe934419e6f059cd87c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5c7bfc3af68f9b3f3866af35344d42d8

SHA1
cde926b73ba79b8a2259e17f64694cec310e9f57

SHA256
2b97033e882a5eeb835195672630625e0818500fa75dc55b00a9a83fe99a5f82

SHA512
49aa2358f035d8e12638232b683851c873b0419585c3c21d1c0057ed8d4b6fc8a108a18f499a34e53a01933887796820b8ea91fd088a3c9895a6a213036dc5f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
625e92f73a73ba7b857e237adf74807e

SHA1
1392cb20f1e658239a0bf44882e8b1fbc4ca15cf

SHA256
5220a661a0f14e91839e205e0cfbbe3f888b6becd3d09b7ff56b0219758463eb

SHA512
d87bae96bea0eb51d4e3379436a380a3cc29c4c63c7f2f4461c772fc55d241d89228955db11f39d44d259d346c5c6b8488224dd34bf8d26f89eb67c235231e94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5d9cd6c5604707728d3edf64ae65adec

SHA1
61485d62dee53b23008729219145515dcd0016be

SHA256
3a82826831552774890391e9069c6e40a348d570f16d5c5028fffd5fdce20b9e

SHA512
170b04287f1e39fb47c50c7e9656c5745353cbf694f938ab0cbb4d2b63e864e8610ddb11360b6ab976668e63c74b8a2277521290fb1131ed94e65de09cc4320a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
83677b5ebe9ebc018c940fccc2e503d8

SHA1
a1698c630c2969e653b817e1dae1d1989f857c41

SHA256
1c48ff952b9626a4cef58e6afeebcd58f4bc07b7973f023ff5c81c58181e0f48

SHA512
f685dae982465bf9d84e94c2afb286944f7ccbeff96f7ba5fd0b69474b21b4f910d4fb786d8982246bedf6feb737fbf1766bb9a2025193af7c37f1576f4b6fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
280KB

MD5
d405fafc9058f1dcf83f415c6a21ac6a

SHA1
9181bb6c32592743463758675c50bb68c4e89438

SHA256
ebf83833944af00d54ee1b21b3ac2a4e11d8e8c8442e942d45d7c20cb48d5ff6

SHA512
e278cc7d8bc6ab20031c6aa93fafccb6acf0d5f01658c90bfb21408ef8f389fafc49fc5cf473a77ca784deb10d046e47617f2a6305d7fce365c468e1c50e104b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\0fec6f8941.exe

Filesize
2.3MB

MD5
6e9d5a1594638480b93db2644fe2bf41

SHA1
1aca8188cfdf58fc651341a1110f67aaefe1b825

SHA256
a513535772abdd51c85975a50aebe17c0e6557ff552f969324eaa7859a84d03a

SHA512
52accdf3556339b4bd7fc999a6b3334fdff75b0b5156ac45bd3cb94ae2e0c08cd3adabc48844be865047276e5ab0f609e89828168697a4cefeaf05b0d496dfb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\1c92fc55c6.exe

Filesize
2.2MB

MD5
61a637c9dd2d811f773e153bb49163d7

SHA1
2abc9637e9430c1c35ed3e1f2c0e3af7e5b031d6

SHA256
5aab6712f0de438478e9cf6f2660f975b8d48d1fe5a83fd386daf5afcf624118

SHA512
4447f2d369402f71bc575d4ea2faa10a485a62b49a4cc953732f2863ed8948440cbd065b5268b36cc780d67d54a81fc97ba20000c7fd64a8956f45beecd2f9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
d5675004f66f1f0683b70e9f41118e1f

SHA1
7ca058539597fa0e7f5cdc3bfa89a556936e0fe6

SHA256
89eedaa02bfda710941cf1dc242764b252c2cc37c080a4101e993d0cc8435693

SHA512
14ec30031485b4442d6bb78d88c6727a1875bec138a009a79eace243115723381e109090e30052fb4c33f0c11988354d5316648acff74960817cb2747c8d9af6

Download Submit
memory/1664-5-0x0000000000F80000-0x0000000001426000-memory.dmp

Filesize
4.6MB

Download
memory/1664-0-0x0000000000F80000-0x0000000001426000-memory.dmp

Filesize
4.6MB

Download
memory/1664-17-0x0000000000F80000-0x0000000001426000-memory.dmp

Filesize
4.6MB

Download
memory/1664-3-0x0000000000F80000-0x0000000001426000-memory.dmp

Filesize
4.6MB

Download
memory/1664-2-0x0000000000F81000-0x0000000000FAF000-memory.dmp

Filesize
184KB

Download
memory/1664-1-0x0000000077736000-0x0000000077738000-memory.dmp

Filesize
8KB

Download
memory/3332-190-0x0000000000090000-0x000000000068C000-memory.dmp

Filesize
6.0MB

Download
memory/3332-200-0x0000000000090000-0x000000000068C000-memory.dmp

Filesize
6.0MB

Download
memory/3332-169-0x0000000000090000-0x000000000068C000-memory.dmp

Filesize
6.0MB

Download
memory/3332-113-0x0000000000090000-0x000000000068C000-memory.dmp

Filesize
6.0MB

Download
memory/3332-220-0x0000000000090000-0x000000000068C000-memory.dmp

Filesize
6.0MB

Download
memory/3332-174-0x0000000000090000-0x000000000068C000-memory.dmp

Filesize
6.0MB

Download
memory/3332-209-0x0000000000090000-0x000000000068C000-memory.dmp

Filesize
6.0MB

Download
memory/3332-202-0x0000000000090000-0x000000000068C000-memory.dmp

Filesize
6.0MB

Download
memory/3332-42-0x0000000000090000-0x000000000068C000-memory.dmp

Filesize
6.0MB

Download
memory/3332-142-0x0000000000090000-0x000000000068C000-memory.dmp

Filesize
6.0MB

Download
memory/3332-155-0x0000000000090000-0x000000000068C000-memory.dmp

Filesize
6.0MB

Download
memory/3332-171-0x0000000000090000-0x000000000068C000-memory.dmp

Filesize
6.0MB

Download
memory/3332-194-0x0000000000090000-0x000000000068C000-memory.dmp

Filesize
6.0MB

Download
memory/3332-192-0x0000000000090000-0x000000000068C000-memory.dmp

Filesize
6.0MB

Download
memory/3332-153-0x0000000000090000-0x000000000068C000-memory.dmp

Filesize
6.0MB

Download
memory/3432-152-0x0000000000560000-0x0000000000AA9000-memory.dmp

Filesize
5.3MB

Download
memory/3432-150-0x0000000000560000-0x0000000000AA9000-memory.dmp

Filesize
5.3MB

Download
memory/3432-143-0x0000000000560000-0x0000000000AA9000-memory.dmp

Filesize
5.3MB

Download
memory/3432-60-0x0000000000560000-0x0000000000AA9000-memory.dmp

Filesize
5.3MB

Download
memory/3432-115-0x0000000000560000-0x0000000000AA9000-memory.dmp

Filesize
5.3MB

Download
memory/4472-166-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4472-167-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-21-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-134-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-173-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-168-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-20-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-189-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-19-0x00000000007F1000-0x000000000081F000-memory.dmp

Filesize
184KB

Download
memory/4580-191-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-154-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-193-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-149-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-107-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-219-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-199-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-114-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-201-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-170-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-208-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-133-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4580-18-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4616-198-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download
memory/4616-196-0x00000000007F0000-0x0000000000C96000-memory.dmp

Filesize
4.6MB

Download